[Openswan Users] RDP from internal NET to VPN client fails, and some other strangness..
Paul Wouters
paul at xelerance.com
Mon Nov 20 12:19:42 EST 2006
On Mon, 20 Nov 2006, dashnu wrote:
> Still no luck. I have done the following things.
that's correct:
> Input:
> # ICMP
> $IPT -N icmp-traffic
> $IPT -A icmp-traffic -p icmp --fragment -j DROP
> $IPT -A icmp-traffic -p icmp --icmp-type echo-reply -m limit \
> --limit 1/s -j ACCEPT
> $IPT -A icmp-traffic -p icmp --icmp-type echo-request -m limit \
> --limit 1/s -j ACCEPT
> $IPT -A icmp-traffic -p icmp --icmp-type time-exceeded -m limit \
> --limit 1/s -j ACCEPT
> $IPT -A icmp-traffic -p icmp --icmp-type fragmentation-needed -m limit \
> --limit 1/s -j ACCEPT
> $IPT -A icmp-traffic -p icmp -j DROP
http://www.znep.com/~marcs/mtu/
> Limit should keep me out of trouble as far DOS attacks go.. and I would
> imagine this limit would not interrupt regular use.
It wont help you against DOS attacks. Sure, on DOS attacks using ICMP. But
any other DOS attack still hits you.
Don't filter ICMP. Especially not when your have your /proc settings to
disable all source courting and redirection icmps anyway.
Paul
More information about the Users
mailing list