21 May
2017
21 May
'17
12:10 p.m.
Hessu,
It's my understanding that iptables should accept such a reply as
ESTABLISHED or RELATED. I'll have to research.
This does not consider those who EXPLICITLY block ICMP as a top rule (or
drop them in the RAW table), as you more closely described in your email.
...this is one advantage to setting up a DROP/REJECT-by-default iptables
configuration.
Also, it prevents any errors in rules or their order from allowing a
packet to go the opposite of a "blackhole..." i.e. actually navigate
through the iptables chains to arrive at the unsecured LAN.
73,
- Lynwood
KB3VWG
So, please do not block all of ICMP; ICMP Unreachable
messages (type 3)
should be permitted, especially on a network like ours.