Mailinglist Archive: opensuse-security (192 mails)

< Previous Next >
Re: [suse-security] IPChains
  • From: Fred Mobach <fred@xxxxxxxxx>
  • Date: Sat, 27 May 2000 16:08:59 +0200
  • Message-id: <392FD6FB.8BC0B193@xxxxxxxxx>
Gerhard Sittig wrote:

> But looking at all the ICMP packet types one should at least
> block the redirect ones. And besides "dest unreach", "param
> prob", "source quench" and "time exceeded" everything else seems
> luxurious to pass through. The "unreach" could be filtered even
> more for its subtypes. And *if* you have to enable echo reqs and
> replies, you better block icmp to the network and broadcast
> addresses (remember smurf, tfn and the other DoSes?). To further
> protect against attacks, one would wish for a feature like
> FreeBSD's icmp bandwidth limiting -- is there something similar
> for Linux?

Yes, traffic shaping. Documentation can be found in the kernel source
tree.

Have a nice read.

Fred

< Previous Next >