This might help... http://www.ibiblio.org/pub/Linux/docs/HOWTO/other-formats/html_single/IPCHAINS-HOWTO.html#ICMP Recommended reading: Linux Firewalls http://www.linux-firewall-tools.com/linux/ It covers your questions better than the how-to. Chris Gahlon David Dyer-Bennet wrote: > > I've changed the subject since I'm grabbing one minor point (of > concern to me) out of your larger message on constructing a bastion > host. > > "Chad C. Walstrom" <chewie at wookimus.net> writes: > > > Other Configuration Needs: > > o Use iptables to block all incoming TCP and UDP connections > > except for: > > - tcp port 25 (smtp) > > - non-syn tcp packets (IOW, TCP replies from an established > > connection to another machine) > > - icmp ping-reply > > That last point. My own servers run exposed to the net, and I'm > running packet filtering on them as backup for simply disabling > services I don't want people reaching. > > When constructing my rulesets, I wasn't sure what icmp messages I > wanted to allow in. I ended up settling for allowing all icmp in, > baseed on some of the things I saw in the logs when I was more > selective. > > Are the various "unreachable" and "redirect" messages not useful? And > are they particularly risky to allow through? > > (And I definitely want to allow echo-request in; I want to be > pingable.) > -- > David Dyer-Bennet, dd-b at dd-b.net / Ghugle: the Fannish Ghod of Queries > Book log: http://www.dd-b.net/dd-b/Ouroboros/booknotes/ > Photos: http://dd-b.lighthunters.net/ > _______________________________________________ > Twin Cities Linux Users Group Mailing List - Minneapolis/St. Paul, Minnesota > http://www.mn-linux.org > tclug-list at mn-linux.org > https://mailman.mn-linux.org/mailman/listinfo/tclug-list