27 May
2000
27 May
'00
14:08
Gerhard Sittig wrote:
But looking at all the ICMP packet types one should at least block the redirect ones. And besides "dest unreach", "param prob", "source quench" and "time exceeded" everything else seems luxurious to pass through. The "unreach" could be filtered even more for its subtypes. And *if* you have to enable echo reqs and replies, you better block icmp to the network and broadcast addresses (remember smurf, tfn and the other DoSes?). To further protect against attacks, one would wish for a feature like FreeBSD's icmp bandwidth limiting -- is there something similar for Linux?
Yes, traffic shaping. Documentation can be found in the kernel source tree. Have a nice read. Fred