[Gllug] ipchains/smtp acceptance from Demon
sean at uncertainty.org.uk
sean at uncertainty.org.uk
Fri Aug 17 14:08:40 UTC 2001
On Fri, Aug 17, 2001 at 02:55:17PM +0100, home at alexhudson.com wrote:
> On Fri, Aug 17, 2001 at 02:17:04PM +0100, tet at accucard.com wrote:
> > >Accept -p icmp. There's no reason in the world to block any of icmp, you
> > >just end up breaking things.
> >
> > Debatable. Blocking ICMP redirects that originate from outside your
> > network is probably a valid thing to do.
>
> I accept that, but to be honest, if you understand why you might want to
> block them you'll ignore my advice anyway. ICMP blocking is usually stupid
> though, because you end up breaking things subtly (Amazon stopped people
> masqing behind DSL accessing their site a while ago, because they killed
> fragmentation ICMP info). It works 'mostly', except sometimes things
> strangely don't work. Like not accepting tcp for nameserver lookups..
>
I guess I'll accept all icmp (after removing ip spoofing) and leave it there
for now
BTW what about 'Ping of Death'
without doing much research it looks like current kernels are not vulnerable
but it doesn't encourage me to think icmp is entirely safe.
--
Sean
--
Gllug mailing list - Gllug at linux.co.uk
http://list.ftech.net/mailman/listinfo/gllug
More information about the GLLUG
mailing list