|
#define ICMP_DEST_UNREACH 3 /* Destination Unreachable */
Some Sub Types are needed in and out, see below
#define ICMP_SOURCE_QUENCH 4 /* Source Quench */
Allow it outbound anyway, inbound is less likely to be a problem, unless
you
are doing some streaming or multicast feeding to the internet.
#define ICMP_REDIRECT 5 /* Redirect (change route) */
block!
#define ICMP_ECHO 8 /* Echo Request */
you might allow it incoming for trusted addresses (note some NICs will
require you to make your primary DNS Server pingable!)
#define ICMP_TIME_EXCEEDED 11 /* Time Exceeded */
helpfull if you allow it incoming, could allow exploring your network if you allow it outbound.
#define ICMP_PARAMETERPROB 12 /* Parameter Problem */
helpfull if you allow it incoming, could allow exploring your network if you allow it outbound.
#define ICMP_TIMESTAMP 13 /* Timestamp Request */
#define ICMP_TIMESTAMPREPLY 14 /* Timestamp Reply */
#define ICMP_INFO_REQUEST 15 /* Information Request */
#define ICMP_INFO_REPLY 16 /* Information Reply */
#define ICMP_ADDRESS 17 /* Address Mask Request */
#define ICMP_ADDRESSREPLY 18 /* Address Mask Reply */
Block those on the external interface
/* Codes for UNREACH. */
#define ICMP_NET_UNREACH 0 /* Network Unreachable */
ignored, so block it
#define ICMP_HOST_UNREACH 1 /* Host Unreachable */
allow it at least inbound, best would be if you can do that stateful
#define ICMP_PROT_UNREACH 2 /* Protocol Unreachable */
you can block that
#define ICMP_PORT_UNREACH 3 /* Port Unreachable */
you should allow that at least inbound. Be aware that some filter rules should send PORT_UNREACH on connection request (at least 137,139 and auth), so make sure not to block those ICMP packetes
which are generated by your reject rule.
共3页: 上一页 [1] 2 [3] 下一页
|
