Date: Fri, 21 Jan 2000 16:44:24 -0500 From: Andre Chang <andre@arkaine.com> To: "'Rodney W. Grimes'" <freebsd@gndrsh.dnsmgr.net>, oogali@intranova.net Cc: freebsd-ipfw@FreeBSD.ORG Subject: RE: New Firewall Message-ID: <6C191944837ED311863A00104BC7598F7752@s.arkaine.com>
next in thread | raw e-mail | index | archive | help
Well I checked up on the remote machines and they are mostly just SMTP relay hosts for different domains, nothing special. I am dropping all ICMP types other than 0,3,8 and 11 on that machine. Considering that I am leaving ping and traceroute open, the machine are just secondary mail server in case the primary mail server is unreachable. It's primary role is DNS. It remains to be my own decision if I want the machine to respond to ICMP type 3.4 I'd rather the machine unable to fulfill it's secondary tasks for some sites than opening it up to possible DoS which would affect it's primary task. -- Andre. -----Original Message----- From: Rodney W. Grimes [mailto:freebsd@gndrsh.dnsmgr.net] Sent: Thursday, January 20, 2000 12:41 PM To: oogali@intranova.net Cc: andre@arkaine.com; sh@eclipse.net.uk; briang@expnet.net; isp@FreeBSD.ORG; freebsd-ipfw@FreeBSD.ORG Subject: Re: New Firewall > I'm not sure what he meant by ICMP fragmentation-needed messages, but > yes, ICMP is needed for reliable communication and faster communication > (primarily unreachables), so you can allow ICMP to pass through but I > wouldn't recommend it after seeing 24Mbps smurfs come through... > > And in your case Andre, ICMP fragmentation has nothing to do with your > sendmail problem, that shows that your connection is breaking/dropping > after a while, maybe the remote side is closing the connection > prematurely...check it out by telnetting to the remote host on port 25 and > imitate a regular SMTP transaction to find the problem... If Andre is filtering ICMP 3.4 (ICMP_UNREACH.ICMP_UNREACH_NEEDFRAG) it certainly could have to do with his sendmail problem. -- Rod Grimes - KD7CAX @ CN85sl - (RWG25) rgrimes@gndrsh.dnsmgr.net To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?6C191944837ED311863A00104BC7598F7752>