From owner-freebsd-security  Sun Jan 17 14:13:31 1999
Return-Path: <owner-freebsd-security@FreeBSD.ORG>
Received: (from majordom@localhost)
          by hub.freebsd.org (8.8.8/8.8.8) id OAA07953
          for freebsd-security-outgoing; Sun, 17 Jan 1999 14:13:31 -0800 (PST)
          (envelope-from owner-freebsd-security@FreeBSD.ORG)
Received: from vital.bleeding.com (vital.bleeding.com [206.251.12.170])
          by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id OAA07946
          for <freebsd-security@FreeBSD.ORG>; Sun, 17 Jan 1999 14:13:29 -0800 (PST)
          (envelope-from jjwolf@bleeding.com)
Received: from crimson ([144.254.195.2])
	by vital.bleeding.com (8.8.8/8.8.8) with SMTP id OAA03126;
	Sun, 17 Jan 1999 14:21:36 -0800 (PST)
	(envelope-from jjwolf@bleeding.com)
Message-ID: <001101be4265$88868540$02c3fe90@cisco.com>
From: "Justin Wolf" <jjwolf@bleeding.com>
To: <ben@rosengart.com>, "Daniel O'Callaghan" <danny@hilink.com.au>
Cc: "N. N.M" <madrapour@hotmail.com>, <freebsd-security@FreeBSD.ORG>
Subject: Re: Small Servers - ICMP Redirect
Date: Sun, 17 Jan 1999 14:05:12 -0800
MIME-Version: 1.0
Content-Type: text/plain;
	charset="Windows-1252"
Content-Transfer-Encoding: 7bit
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 5.00.0810.800
X-MimeOLE: Produced By Microsoft MimeOLE V5.00.0810.800
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org

>> > >> 2) About ICMP redirect messages, as I learned they could be used to
make
>> > >> our network disconnected and somthing. What's the way to prevent
this
>> > >> kind of attack? Does blocking this kind of ICMP on firewall and
routers
>> > >> cause any problem in connectivity and system behavior?
>> > >
>> > >I would block these messages from entering my network, absolutely.
>> >
>> > Keep in mind that flatly blocking all ICMP messages will prevent traces
and
>> > pings both in and out of your network.  It will also effect certain
>> > services...  The best way to tailor this is to block everything and
loosen
>> > it up as necessary to keep things from breaking.
>>
>> It will also block useful things like source-quench.  ICMP exists for a
>> reason.
>
>Read the question again, people.

I believe I had read the question and that my response was applicable.
Perhaps you should read the responses again?  Blocking ICMP-redirects is
definately advisable - I was suggesting that ICMP messages not be blocked on
the whole.  I appologize if my wording, or the wording of Daniel, is
misleading...

-Justin



To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message