13 Dec
2000
13 Dec
'00
10:53
On Wed, Dec 13, 2000 at 11:27:22AM +0100, Oliver Hensel wrote:
Hi.
I think you have it backwards here: Firewalls should _always_ be configured as default DENY (or DROP with NetFilter), then open up those you really need and want.
Concerning ICMP, here is what I do with most of the firewalls I configured:
Outbound: - echo-request (ping)
Inbound: - echo-reply (pong) - fragmentation-needed (for pmtu-discovery) - source-quench (router is overloaded) - time-exceeded - parameter-problem
In addition I always accept destination-unreachable. cu, Hans Peter