> In article <20021128211347.D27234@flint.arm.linux.org.uk>,
> Russell King <rmk@arm.linux.org.uk> wrote:
> >On Thu, Nov 28, 2002 at 06:53:00PM +0200, Kai Henningsen wrote:
> >> >From two or three traceroutes, that problem seems to be at the SGI end.
> >> >I
> >> can't get to them either (nothing after the same IP as for you, at hop
> >> #17, some place at Genuity), but you are practically next door.
> >
> >Lesson #1 of firewalling: drop everything.
> >Lesson #2 of firewalling: only accept what you absolutely have to.
>
> Lesson#3 of firewalling: due to #1 and #2 most admins block
> ICMP_UNREACH_NEEDFRAG as well (ICMP == ping == bad) breaking
> path MTUd. http://alive.znep.com/~marcs/mtu/
Lesson #4 of firewalling: a friendly firewall will (unless there are
*specific* reasons to do otherwise) allow for ICMP_UNREACH_NEEDFRAG (and
some similar things), ping, and traceroute. That's how I usually set them
up. (ping == good)
MfG Kai
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/