Recommended firewall settings

Yes, I can only add from my experience, that packet has "in" interface in all chains, but gets "out" interface after routing decision, not in all chains.

Can 'Path MTU Discovery' be abused to generate unnecessary amounts of ICMP messages?
I guess yes?
So it makes to limit or filter out those specific ICMP messages.
Or better, don't use PMTU Discovery.

PMTU is required for IPv6

In general, the home-to-ISP link is the limiting factor. Pretty much the rest of the Internet can handle 1500 MTU.

Yes, ICMP, like any packet, can be abused. Like any threat vector, it has to be prioritized against utility and against other threats to determine if and how to mitigate. Rate-limiting is one common approach.

Note caerefully "if ... to mitigate". Bad enough play "Whack-A-Mole" with active threats without whacking at the holes that never pop up.

1 Like