I've changed the subject since I'm grabbing one minor point (of concern to me) out of your larger message on constructing a bastion host. "Chad C. Walstrom" <chewie at wookimus.net> writes: > Other Configuration Needs: > o Use iptables to block all incoming TCP and UDP connections > except for: > - tcp port 25 (smtp) > - non-syn tcp packets (IOW, TCP replies from an established > connection to another machine) > - icmp ping-reply That last point. My own servers run exposed to the net, and I'm running packet filtering on them as backup for simply disabling services I don't want people reaching. When constructing my rulesets, I wasn't sure what icmp messages I wanted to allow in. I ended up settling for allowing all icmp in, baseed on some of the things I saw in the logs when I was more selective. Are the various "unreachable" and "redirect" messages not useful? And are they particularly risky to allow through? (And I definitely want to allow echo-request in; I want to be pingable.) -- David Dyer-Bennet, dd-b at dd-b.net / Ghugle: the Fannish Ghod of Queries Book log: http://www.dd-b.net/dd-b/Ouroboros/booknotes/ Photos: http://dd-b.lighthunters.net/