> > Personally I suggest allowing the following ICMP types:
> > 0 Echo Reply
> > 3 Destination Unreachable
> > 11 Time Exceeded
> > 12 Parameter Problem
0 is optional but useful, 11 can be used for certain kinds of DoS attack
against some hosts.
> > and dropping the rest (you must allow ICMP type 3).
>
> Why must type 3 be allowed?
It makes it possible to use TCP. Path MTU discovery requires destination
unreachable
> Wouldn't it make it harder to do portscans and similar things, if one drops all
> outgoing "Destination Unreachable" packets?
Far more productive is to fake connection accepts on all other ports 8)
-
To unsubscribe from this list: send the line "unsubscribe linux-net" in
the body of a message to [EMAIL PROTECTED]
