On Mon, 3 Apr 1995 16:25:00 PDT Ken Sletten - Code 331A said:
>Jeff Kell after me after Chris Bartram and others:
>>>(1)  Expanding on one of Chris Bartram's suggestions to be
>>>       able to configure lists of allowed originating IP addresses:
>
>>This is inadequate.  I would like to propose something along the lines of
>>{permit|deny} {IP-address} {address-mask} [{tcp|udp|icmp} {<|=|>} {port}]
>>and a possibility to
>> {permit | deny} {IP-address} {address-mask} established
>
>>The "@" nomenclature doesn't allow for subnet masking (actual subnets or
>>logical subnets).  Blunt acceptance/denial of a "network" may be OK, but we
>>really need to address the protocol level.     [.....SNIP.....]
>
>Jeff obviously has the right idea.  Ignore my previous, and sign
>me up to second the motion on Jeff's suggestion.  Much better
>control.
 
Well, let me revise that; this is filtering INCOMING traffic.  As such, the
ICMP protocol is rather irrelevant.  This is often used on OUTBOUND traffic
so that firewall-thwarted attempts simply time out rather than resulting in
a more definitive ICMP Destination unreachable or ICMP Connection refused
response.  It isn't of much value on inbound traffic.
 
(Takes me a minute to shuffle my mindset from router to host :-) )
 
[\] Jeff Kell, [log in to unmask]