[Gllug] ipchains/smtp acceptance from Demon
home at alexhudson.com
home at alexhudson.com
Fri Aug 17 13:55:17 UTC 2001
On Fri, Aug 17, 2001 at 02:17:04PM +0100, tet at accucard.com wrote:
> >Accept -p icmp. There's no reason in the world to block any of icmp, you
> >just end up breaking things.
>
> Debatable. Blocking ICMP redirects that originate from outside your
> network is probably a valid thing to do.
I accept that, but to be honest, if you understand why you might want to
block them you'll ignore my advice anyway. ICMP blocking is usually stupid
though, because you end up breaking things subtly (Amazon stopped people
masqing behind DSL accessing their site a while ago, because they killed
fragmentation ICMP info). It works 'mostly', except sometimes things
strangely don't work. Like not accepting tcp for nameserver lookups..
> tools. Not that I've been battling against a BNOFH who blocks ICMP
> everywhere over the past few weeks or anything...
Idiot ;)
Cheers,
Alex.
--
--
Gllug mailing list - Gllug at linux.co.uk
http://list.ftech.net/mailman/listinfo/gllug
More information about the GLLUG
mailing list