I've changed the subject since I'm grabbing one minor point (of
concern to me) out of your larger message on constructing a bastion
host. 

"Chad C. Walstrom" <chewie at wookimus.net> writes:

> Other Configuration Needs:
>     o Use iptables to block all incoming TCP and UDP connections
>       except for:
>         - tcp port 25 (smtp)
>         - non-syn tcp packets (IOW, TCP replies from an established
>           connection to another machine)
>         - icmp ping-reply

That last point.  My own servers run exposed to the net, and I'm
running packet filtering on them as backup for simply disabling
services I don't want people reaching.

When constructing my rulesets, I wasn't sure what icmp messages I
wanted to allow in.  I ended up settling for allowing all icmp in,
baseed on some of the things I saw in the logs when I was more
selective.  

Are the various "unreachable" and "redirect" messages not useful?  And
are they particularly risky to allow through?

(And I definitely want to allow echo-request in; I want to be
pingable.) 
-- 
David Dyer-Bennet, dd-b at dd-b.net  /  Ghugle: the Fannish Ghod of Queries
        Book log: http://www.dd-b.net/dd-b/Ouroboros/booknotes/
                 Photos: http://dd-b.lighthunters.net/