So I finally decided to block various icmp's coming into my system. I'm
aware of what to block and what not, but I do have a question.
Considering a network like:
| machine 1
<internet> ---[ppp]--- <gateway/ppp box> ---[hub]---| machine 2
| machine 3
The firewall is sitting on the gateway box; and obviously machines 1|2|3
have it as their default gateway.
The question: do machines 1|2|3 need to receive the icmp types of
DEST_UNREACHABLE, SOURCE_QUENCH, etc ? Shouldn't the gateway box be the
only one that needs them? If I remember correctly, its the gw box that
bounces those messages to machines 1|2|3, they never receive them directly
from the remote hosts.
So, would something like the following be appropriate?:
ipchains -A input -j ACCEPT -d gw 0 3 4 11 12 -p icmp -i ppp0
ipchains -A input -j ACCEPT -d my.net/24 0 -p icmp -i ppp0
ipchains -A input -j DENY -p icmp -i ppp0
??
G'day!
-- n i c h o l a s j l e o n
elegance through simplicity*http://mrnick.binary9.net*[EMAIL PROTECTED]
good fortune through truth*roaming:[EMAIL PROTECTED]*ICQ#2170994*U+($++)
TRA#6805*not all questions have answers*pseudogeek:P+++($++)L+($++)W=lm@b9
2.3x10e-53*
-
To unsubscribe from this list: send the line "unsubscribe linux-net" in
the body of a message to [EMAIL PROTECTED]
