On Tue, Jul 12, 2022 at 08:00:42PM +0000, Marco wrote: > Am Tue, 12 Jul 2022 21:17:40 +0200 > schrieb <tomas@tuxteam.de>: > > > That looks like a sensible strategy to me. > > It isn't at all, completely blocking incoming ICMP is a very stupid > idea. I didn't get that "blocking incoming ICMP" part. Just the "DROP instead of REJECT" part. Blame it on missing incoming coffee. If it was there, I agree with you: especially blocking the incoming "fragmentation required" ICMP will cause you lots of grief [1] if you are behind something with a smaller MTU (cf. path MTU discovery, the next Wikipedia shop in your quarters carries that). Cheers [1] I've seen symptoms like: you ssh into a box, everything seems fine, until you do the first `ls -al'. Then the connection hangs. You start to believe in ghosts until you understand the underlying mechanism. -- t
Attachment:
signature.asc
Description: PGP signature