MaD dUCK
ipchains -A output -p icmp --icmp-type destination-unreachable -j ACCEPT ipchains -A output -p icmp --icmp-type source-quench -j ACCEPT ipchains -A output -p icmp --icmp-type time-exceeded -j ACCEPT ipchains -A output -p icmp --icmp-type parameter-problem -j ACCEPT ipchains -A output -p icmp --icmp-type echo-request -j ACCEPT
and repeat that all for the input chain.
You _can_ repeat that for the input chain, but you _should_ restrict incoming echo-requests: ipchains -A input -p icmp --icmp-type echo-request -s $INTERNAL_NET -j ACCEPT where $INTERNAL_NET is your internal network. For an answer to echo-requests from a host in your internal network to your packetfiltering firewall you also need ipchains -A output -p icmp --icmp-type echo-reply -j ACCEPT Martin -- martin.peikert@innominate.de system engineer innominate AG clustering & security networking people tel: +49.30.308806-0 fax: -77 http://innominate.de