@lanodan @amerika @cjd @h4890 @sj_zero @threalist

> ICMP probably shouldn't be entirely banned though, otherwise you'll get things like MTU issues and miss connection diagnosis (like the various distinctions of destination unreachable).

The idea is that no data comes in; what do you really care if you lose some of the distinctions? Presumably it'd be one point-to-point bridge between the secure broadcast-only network and the external internet.

> And one thing that should also be filtered out is any connection that isn't for your address/subnet,

Like, in general, right? This is about a special case where you want some machines that are not quite air-gapped but you don't want machines outside the network to be able to influence their behavior.