netbsd-users: Re: Is my ipfilter list secure?

Subject: Re: Is my ipfilter list secure?
To: None <netbsd-users@netbsd.org>
From: Richard Grace <rgrace@aapt.com.au>
List: netbsd-users
Date: 04/26/2002 17:07:40

>>> Roger Fischer <roger@aileron.org> 26/04/2002 16:48:45 >>>

> I'm putting together a NetBSD box to replace my linux gateway.
[...]
> # Uncomment to allow other to ping/trace us
> #   pass  in     quick on eth0 proto icmp from any to $myip icmp-type 0  =
# ping
> #   pass  in     quick on eth0 proto icmp from any to $myip icmp-type 11 =
# Traceroute
> # Otherwise, block all icmp.
>      block in log quick on eth0

You may wish to allow useful ICMP messages back in, which were not
"solicited" by an outgoing ICMP message (eg, echo request/echo reply)
such as icmp-type 3 (destination unreachable, including need to frag)
and icmp-type 11 (time exceeded, in case of circular routes).

Otherwise, it looks pretty good.

Richard Grace
Unix Systems Administrator
AAPT Limited