I posted this question on another Linksys forum and received nothing but crickets chirping. Maybe I will have better luck here. When I typically harden my Linux box (I use Gentoo as my main rig), I will perform a few tweaks to: /proc/sys/net/ipv4/* This is where you can set some kernel parameters relating to TCP/IP and what types of packets the kernel itself will respond to. For instance, you can make the kernel drop all ICMP packets as well as ignore spoofed packets and source routed packets (among other things). When I ssh into my Tomato router and go through the /proc/sys/net/ipv4/* files, I see that the Tomato Linux kernel, by default, doesn't block some of these types of packets. I am interested in forcing the tomato kernel to drop the following types of packets (just as I set my local Gentoo machine to do): By default, the tomato *kernel* has the following already set like I want them: Code: accept_source_route = 0 accept_redirects = 0 rp_filter = 1 So the above is fine. The following are *not* set like I want them: Code: ip_forward = 1 icmp_echo_ignore_all = 0 icmp_echo_ignore_broadcasts = 0 icmp_ignore_bogus_error_responses = 0 My questions: 1) Does the tomato firewall (iptables) do the job independent of whether the kernel itself is configured to block these packets? In other words, is there a way for an attacker to "break through" the firewall by sending some types of "bogus" packets? It seems to me that setting the router's kernel to ignore these packets is "more secure" than relying on iptables. Or am I wrong? 2) If I turn off ip_forward, will it negatively effect my router's ability to properly route packets within my LAN? The Gentoo handbook says that ip_forward is only needed for "multi-homed hosts." I am not quite sure what a multi-homed host is, even after a lot of research on Google. I think it has to do with a host that has more than one interface (like a host serving more than one LAN), which I don't think my router does. 3) Will I see any ill effects of making Tomato's kernel ignore all ICMP packets as outlined above? Can any security gurus (specifically those familiar with Linux) help me out?