Mailing List Archive
tlug.jp
Mailing List
tlug archive
tlug Mailing List Archive
|
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [tlug] Iptables trouble
- Date: Thu, 11 Jan 2018 17:48:15 +0900
- From: Curt Sampson <cjs@example.com>
- Subject: Re: [tlug] Iptables trouble
- References: <1515641488.1593636.1231426376.22933952@webmail.messagingengine.com> <51769e5d2c0d71307721671dfd355554@jp.sometwo.net>
- User-agent: NeoMutt/20170113 (1.7.2)
On 2018-01-11 13:49 +0900 (Thu), Furkan Mustafa wrote:
> About your configuration, I noticed that you only allowed some tcp
> connections, which leaves out icmp and udp connections. It should be
> okay if that's your intention. But pings probably won't work unless
> you allow them.
ICMP is more than just pings. For example, anybody doing path MTU detection
will be setting the "don't fragment" bit on their packets, asking any
routers that can't forward the packet because it's too large to drop it
and send back an ICMP destination unreachable message.
Needless to say, if you configure your routers to block these ICMP
messages, you've effectively blocked access to systems behind your
router on networks with lower MTUs than your outside interface.
In general, you always want to allow ICMP messages through your
firewalls unless you really know what you're doing.
cjs
--
Curt J. Sampson <cjs@example.com> +81 90 7737 2974
To iterate is human, to recurse divine.
- L Peter Deutsch
- References:
- [tlug] Iptables trouble
- From: David J Iannucci
- Re: [tlug] Iptables trouble
- From: Furkan Mustafa
- [tlug] Iptables trouble
- Prev by Date: Re: [tlug] Iptables trouble
- Next by Date: [tlug] [announcement] *Shinnenkai* Saturday Jan 13.
- Previous by thread: Re: [tlug] Iptables trouble
- Next by thread: Re: [tlug] Iptables trouble
- Index(es):
| Home Page | Mailing List | Linux and Japan | TLUG Members | Links |