On 08/04/08 14:45, Martin Toft wrote:
On Tue, Apr 08, 2008 at 03:10:47PM +0200, Martin Toft wrote:
On Tue, Apr 08, 2008 at 09:27:49AM +0100, Ian Chard wrote:
[snip]
Is there any other way of blocking IP proto 0 packets?
You could use a default-deny/drop rule set, i.e. only allow the stuff
you need (probably inet and inet6).
Hmm, it looks like IP-in-IP packets are blocked by default. See
sysctl(3) about net.inet.ipip.allow.
Ah, good news indeed! Many thanks, I never would have spotted that.
Cheers
- Ian
--
Ian Chard, Senior Unix and Network Gorilla | E: [EMAIL PROTECTED]
Systems and Electronic Resources Service | T: 80587 / (01865) 280587
Oxford University Library Services | F: (01865) 242287
