Hi, Rafi! How's things? ] I find it hard to believe You have no thoughts about: Oh, you know me; I have a thought about everything. :) ] 1) rate-limiting ICMP This is covered in the Secure IOS Template, though it likely should be added to the ICMP filtering list as well. I very much like the example posted by Jared, so I may steal that as well (*waves to Jared*). :) ] 2) passing ICMP "statefully" ] (that is for example ICMP echo reply only accepted in reply to an ICMP echo) Ah, yeah... I've seen a lot of problems with stateful inspection of ICMP flows. In short, I've not seen it work consistently. Enlightenment is welcome. :) ] 3) DoS problems related to ICMP unreachables This is also covered in the Secure IOS Template; I recommend disabling them. Barry has already given me the syntax to rate limit them, which is something I need to add to the Secure IOS Template. I need more time and more coffee. :) http://www.cymru.com/Documents/secure-ios-template.html Thanks, Rob. -- Rob Thomas http://www.cymru.com ASSERT(coffee != empty);