ICMP types to allow
lst_hoe01 at kwsoft.de
lst_hoe01 at kwsoft.de
Thu Dec 22 09:50:57 CET 2005
Zitat von René Pfeiffer <lynx at luchs.at>:
> On Dec 21, 2005 at 1336 -0500, Derick Anderson appeared and said:
>>
>> After reading the ICMP state machine section of the Netfilter tutorial
>> [http://iptables-tutorial.frozentux.net/iptables-tutorial.html#ICMPCONNE
>> CTIONS] it appears that ICMP traffic related to existing TCP and UDP
>> connections falls under the RELATED,ESTABLISHED rules.
>
> This is true. However you need some inbound ICMP in order to support
> things like Path MTU discovery. I often allow the inbound ICMP message types
> time-exceeded, destination-unreachable and parameter-problem. This
> covers messages that deal with packet fragmentation. You might want to
> disallow some of the destination-unreachable messages.
As far as i know path MTU discovery works by setting up the connection
with DF set and raise the packet size until a ICMP error comes back.
This case is covered fine by the RELATED stuff. Time-exceeded and
destination unreachable are also only valid as reply to some IP traffic.
So as the tutorial discribe there are only 4 types which could be really new :
"Echo request, Timestamp request, Information request and finally
Address mask request". For me only the first one makes sense to allow.
All the really critical stuff can be handeled by the ICMP state machine.
Regards
Andreas
More information about the netfilter
mailing list