On Tue, Apr 10, 2001 at 09:59:52AM +1200, Simon Murcott wrote: > One thing that I forgot to mention in my previous post is that it is vitally > important that you block all ICMP traffic to/from your broadcast and network > addresses. This stops you and machines you route from being broadcast > amplifiers.
But you certainly don't need a firewall to do that. See /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts It also worth looking at /proc/sys/net/ipv4/icmp_echoreply_rate and /proc/sys/net/ipv4/icmp_destunreach_rate to rate-limit the destination unreachable and echo reply packets you'll send out. Rate limiting those ICMP types will further protect you from involvement in DoS attacks. noah -- _______________________________________________________ | Web: http://web.morgul.net/~frodo/ | PGP Public Key: http://web.morgul.net/~frodo/mail.html
pgpemrXCkAmIb.pgp
Description: PGP signature
