I found that I was running out of disk space - partially due to a crazy growth in my log files. The log file showed: SFW2-OUTPUT-ERROR IN= OUT=eth0 SRC=myip DST=212.110.79.74 LEN=1044 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=ICMP TYPE=0 CODE=0 ID=6666 SEQ=0 Code (markup): I have no idea what this is, but it took me a while to figure out how to make it stop. I added a couple of rules with IPTABLES: iptables -A OUTPUT -d 212.110.79.74 -j REJECT iptables -A OUTPUT -d 210.163.43.1 -j REJECT Code (markup): Honestly, I don't know if this is the best solution, but it seems to have resolved my log file issue at least. Thought I'd share if anybody else out there is seeing anything similar.
Personally, I would just block all ICMP (pings). No need for outside people to be pinging your server.
Blocking all ICMP is a very bad idea. ICMP is used for a lot more that just ping. A good example is the ICMP must-fragment packet. If your server is connected with ethernet (which it almost certainly is) and your visitors have an MTU size smaller than 1500 (which they probably do if they're using PPPoA/PPPoE, as most DSL users do), then your site needs to break packets into smaller sizes. Your server gets told this by means of an ICMP must-fragment packet - but if you're dropping all ICMP you'll never be able to fragment it and so users will see broken images and the like.
Agreed... I should have been more specific... I (personally) just disallow icmptype 0 (ping response), which looks like this in the firewall config: deny log icmp from any to any in icmptype 0 Code (markup): For reference, you can find the types here: http://www.faqs.org/docs/iptables/icmptypes.html