Talk:Simple stateful firewall
Question about section "Protection against spoofing attacks"
The rule when rp_filter is 0 checks the source address.
Previously I only read about checking the destination address with the comment "Reject external connections for internal networks".
As I'm still a network/firewall newbie I cannot distinguish what is correct or if both are needed?
-I INPUT ! -i lo -d 127.0.0.0/8 -j DROP
Same for the "IPv6" section.
ICMP rate limiting considered harmful
I'd say that the ping rate limiter has little value. Processing those takes little effort for the kernel, especially compared to TCP. Anyhow, if you want to do proper traffic control, use tc, and look at queuing disciplines instead of arbitrary rate limits which may only be ephemerally valid and not applicable to most people.
I'm considering removing it soon.