On Tue, Apr 10, 2001 at 09:59:52AM +1200, Simon Murcott wrote:
> One thing that I forgot to mention in my previous post is that it is vitally
> important that you block all ICMP traffic to/from your broadcast and network
> addresses. This stops you and machines you route from being broadcast
> amplifiers.
But you certainly don't need a firewall to do that. See
/proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
It also worth looking at /proc/sys/net/ipv4/icmp_echoreply_rate and
/proc/sys/net/ipv4/icmp_destunreach_rate to rate-limit the destination
unreachable and echo reply packets you'll send out. Rate limiting those
ICMP types will further protect you from involvement in DoS attacks.
noah
--
_______________________________________________________
| Web: http://web.morgul.net/~frodo/
| PGP Public Key: http://web.morgul.net/~frodo/mail.html
PGP signature
