On Tue, Jan 02, 2001 at 09:28:35AM +1030, Ben Nagy wrote:
> Inbound - all unreachables (type 3)
> Outbound - packet-too-big (3/4, from memory?)
Both Types are in and outbound, especially the second one. You do not all
need all types of Type 3, all the net subtypes are ignored most of the time,
anyway:
#define ICMP_ECHOREPLY 0 /* Echo Reply */
Needed if you want to allow ping, so you can allow that for trusted peers
outgoing and incoming for all to allow them to ping the internet
#define ICMP_DEST_UNREACH 3 /* Destination Unreachable */
Some Sub Types are needed in and out, see below
#define ICMP_SOURCE_QUENCH 4 /* Source Quench */
Allow it outbound anyway, inbound is less likely to be a problem, unless you
are doing some streaming or multicast feeding to the internet.
#define ICMP_REDIRECT 5 /* Redirect (change route) */
block!
#define ICMP_ECHO 8 /* Echo Request */
you might allow it incoming for trusted addresses (note some NICs will
require you to make your primary DNS Server pingable!)
#define ICMP_TIME_EXCEEDED 11 /* Time Exceeded */
helpfull if you allow it incoming, could allow exploring your network if you
allow it outbound.
#define ICMP_PARAMETERPROB 12 /* Parameter Problem */
helpfull if you allow it incoming, could allow exploring your network if you
allow it outbound.
#define ICMP_TIMESTAMP 13 /* Timestamp Request */
#define ICMP_TIMESTAMPREPLY 14 /* Timestamp Reply */
#define ICMP_INFO_REQUEST 15 /* Information Request */
#define ICMP_INFO_REPLY 16 /* Information Reply */
#define ICMP_ADDRESS 17 /* Address Mask Request */
#define ICMP_ADDRESSREPLY 18 /* Address Mask Reply */
Block those on the external interface
/* Codes for UNREACH. */
#define ICMP_NET_UNREACH 0 /* Network Unreachable */
ignored, so block it
#define ICMP_HOST_UNREACH 1 /* Host Unreachable */
allow it at least inbound, best would be if you can do that stateful
#define ICMP_PROT_UNREACH 2 /* Protocol Unreachable */
you can block that
#define ICMP_PORT_UNREACH 3 /* Port Unreachable */
you should allow that at least inbound. Be aware that some filter rules
should send PORT_UNREACH on connection request (at least 137,139 and auth),
so make sure not to block those ICMP packetes which are generated by your
reject rule.
#define ICMP_FRAG_NEEDED 4 /* Fragmentation Needed/DF set */
Allow it in, and possible out if you have different MTUs inside your
network.
#define ICMP_SR_FAILED 5 /* Source Route failed */
Not strictly needed. Nobody should asume SR works anywhere, anyway.
#define ICMP_NET_UNKNOWN 6
block, its ignored
#define ICMP_HOST_UNKNOWN 7
allow it at least inbound.
#define ICMP_HOST_ISOLATED 8
block.
#define ICMP_NET_ANO 9
#define ICMP_HOST_ANO 10
those are the new types returned by ipfilters. You may let them pass in and
out.
#define ICMP_NET_UNR_TOS 11
#define ICMP_HOST_UNR_TOS 12
block
#define ICMP_PKT_FILTERED 13 /* Packet filtered */
block, depricated
#define ICMP_PREC_VIOLATION 14 /* Precedence violation */
#define ICMP_PREC_CUTOFF 15 /* Precedence cut off */
block.
Greetings
Bernd
--
(OO) -- [EMAIL PROTECTED] --
( .. ) ecki@{inka.de,linux.de,debian.org} http://home.pages.de/~eckes/
o--o *plush* 2048/93600EFD eckes@irc +497257930613 BE5-RIPE
(O____O) When cryptography is outlawed, bayl bhgynjf jvyy unir cevinpl!
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
