Quoting Brandon High <[EMAIL PROTECTED]>: > I'm currently allowing ICMP to and from ports 0, 3 and 8. I'm just > afraid > that I'm breaking a few RFCs doing this.
One point of confusion to be aware of is that ICMP does not use ports. It has types and codes. Yes there is some ICMP that you do NOT want. Pings (0 and 8) I recommend you decide, I prefer to have them but most MS weenies hate them ;) Also time-exceeded (11) is used by traceroute. Unreachables (3), source-quench (4) and parameter-problem (12) are very important for anything connected to the net. There is some very detailed information available as to why you need these available on the net so I won't go into it here :p Everything else I recommend to deny. Especially the network discovery types. The only exception is that sometimes you ISP's router will send redirects to other shared networks so you may want to accept redirects (5) ONLY FROM YOU ISP's ROUTER. It is very important to not blindly accept redirects. Have a look at /usr/include/netinet/ip_icmp.h for a starting point. Regards Simon Murcott e. [EMAIL PROTECTED] m. +6421 304555
