[ previous ] [ next ] [ threads ]
 From:  Frederick Page <fpage at thebetteros dot oche dot de>
 To:  m0n0wall at lists dot m0n0 dot ch
 Subject:  Re: [m0n0wall] Beta 1.2b2
 Date:  Mon, 25 Oct 2004 17:27:26 +0200
Hallo Manuel,

Manuel Kasper schrieb am 24. October 2004:

>- ICMP type matching for filter rules

Very nice indeed ;-)

On my previous Linux router/gateway I rejected unwanted

TCP  with tcp-reset
UDP  with icmp-admin-prohibited
ICMP with icmp-admin-prohibited

As stated on firewall_rules.php I can only reject UDP or TCP packets.
Instead of simply dropping e.g. ICMP-redirect, wouldn't it be better
netizen karma, if I correctly said "rejected, admin has prohibited
this"? Please don't feel picked upon for me being a bean-counter ;)

And yes: I know some broken IP-implementations cannot handle RFC
complying "icmp-admin-prohibited", but do we really care about those
broken and standard-defying products?

Kind regards and thanks for the great work with m0n0wall, especially
1.2b2 really got my hypes up.

Another small feedback to 1.2b2 (first release): works like a charme
for 24h non-stop by now (heavy P2P traffic with many, many
connections). 1.1 still tended to choke a bit with many connections,
the improved time-outs and 30.000 state entries really pay off. I
haven't downloaded the second 1.2b2 release, because I'm not affected
by the "dial-on-demand" bug and don't need to save anything in WAN