[Openswan Users] RDP from internal NET to VPN client fails, and some other strangness..

Paul Wouters paul at xelerance.com
Mon Nov 20 12:19:42 EST 2006

On Mon, 20 Nov 2006, dashnu wrote:

> Still no luck. I have done the following things.

that's correct:

> Input:
> # ICMP
> $IPT -N icmp-traffic
> $IPT -A icmp-traffic -p icmp --fragment -j DROP
> $IPT -A icmp-traffic -p icmp --icmp-type echo-reply -m limit \
> --limit 1/s -j ACCEPT
> $IPT -A icmp-traffic -p icmp --icmp-type echo-request -m limit \
> --limit 1/s -j ACCEPT
> $IPT -A icmp-traffic -p icmp --icmp-type time-exceeded -m limit \
> --limit 1/s -j ACCEPT
> $IPT -A icmp-traffic -p icmp --icmp-type fragmentation-needed -m limit \
> --limit 1/s -j ACCEPT
> $IPT -A icmp-traffic -p icmp -j DROP


> Limit should keep me out of trouble as far DOS attacks go.. and I would
> imagine this limit would not interrupt regular use.

It wont help you against DOS attacks. Sure, on DOS attacks using ICMP. But
any other DOS attack still hits you.

Don't filter ICMP. Especially not when your have your /proc settings to
disable all source courting and redirection icmps anyway.


More information about the Users mailing list