What are the "safe packets" that we can allow to pass our firewalls?
The GNAX datacenter is using traceroute and other packets to optimize their network.
What combination of ports and ips should we allow?

I know this has been asked previously, but my old firewall rules does not work fine anymore, so...

#
/sbin/iptables -n default_policy
/sbin/iptables -A INPUT -j default_policy

# allow loopback, DNS, ICMP, and statefull connections from all.
/sbin/iptables -A default_policy -i lo -j ACCEPT
/sbin/iptables -A default_policy -p icmp --icmp-type any -j ACCEPT
/sbin/iptables -A default_policy -m state --state ESTABLISHED,RELATED -j ACCEPT

# allow SSH traffic from all.
/sbin/iptables -A default_policy -p tcp --dport 22 -j ACCEPT

# allow HTTP HTTPS from all
/sbin/iptables -A default_policy -p tcp --dport 80 -j ACCEPT
/sbin/iptables -A default_policy -p tcp --dport 443 -j ACCEPT

# if nothing matches above traffic, drop...
/sbin/iptables -A default_policy -j DROP

Other notes:

Im sure GNAX does not filter anything from on their networks unless its necessary due to performance conditions (denial of service, etc).

My rules dont add a rule for SMTP either...

/sbin/iptables -a default_policy -p tcp --dport 25 -j ACCEPT
/sbin/iptables -a default_policy -p tcp --dport 143 -j ACCEPT

These are just simple rules that allow in traffic on expect service ports, allow connections that have an active state (ie: established higher port connections from other services) and denies all the rest.

What else are you looking for....

[QUOTE=indigo]What else are you looking for....[/QUOTE]
GNAX pings every few hours our hosts to recalculate routes and optimize the paths between them. For more information look in the forum archives.
GNAX uses traceroute (or tracepath) to ping us, not standard ICMP. My firewall has started to drop some packets from GNAX, so I suppose that they have changed something in their setup: servers? ports? tecnique?

They use udp (which is what traceroute uses) to calculate. If your VM blocks it is no problem, they perform it for every IP and I believe they have quite a few Class B networks assigned to them so the route optimization will still work just fine (aka. it's not tuned just for your IP).

[QUOTE=matta]If your VM blocks it is no problem, they perform it for every IP and I believe they have quite a few Class B networks assigned to them so the route optimization will still work just fine (aka. it's not tuned just for your IP).[/QUOTE]
This is great to hear.

Still I don't like to see innocents in my logs :)
I'll do some more experiments and I'll report some iptables rules.