Tim Bishopric wrote:
> This log shows that Ipchains is rejecting outbound loopback (lo) traffic with
> a source IP of 127.0.0.1 and a destination of 127.0.0.1. Protocol 1 is ICMP
> (see /etc/services) and I think type 3 reports "destination unreachable." If
> you block ICMP, you will have problems with DNS, timeouts, etc.
>
> More info:
> http://www.linuxsecurity.com/resource_files/firewalls/firewall-seen.html#2
It is definitely not wise to block ICMP unreachables, source-quench,
parameter-problem and time-exceeded. But it is wise to block ICMP redirect,
timestamp-(req|reply), info-(req|reply) and address-(req|reply). The only
exception is that if you can trust a router then it MAY be ok to accept
redirects
from it.
I leave pings up to your descretion :p
I usually recommend blocking all ICMP except for:
0 echo reply (ping reply)
3 destination unreachable
4 source quench
8 echo request (ping)
11 time exceeded
12 parameter problem
This stuff is all diagnostics, the rest has questionable use (even on internal
networks).
Regards
Simon Murcott
e. [EMAIL PROTECTED]
