Date: Sun, 17 Jan 1999 14:05:12 -0800 From: "Justin Wolf" <jjwolf@bleeding.com> To: <ben@rosengart.com>, "Daniel O'Callaghan" <danny@hilink.com.au> Cc: "N. N.M" <madrapour@hotmail.com>, <freebsd-security@FreeBSD.ORG> Subject: Re: Small Servers - ICMP Redirect Message-ID: <001101be4265$88868540$02c3fe90@cisco.com>
next in thread | raw e-mail | index | archive | help
>> > >> 2) About ICMP redirect messages, as I learned they could be used to make >> > >> our network disconnected and somthing. What's the way to prevent this >> > >> kind of attack? Does blocking this kind of ICMP on firewall and routers >> > >> cause any problem in connectivity and system behavior? >> > > >> > >I would block these messages from entering my network, absolutely. >> > >> > Keep in mind that flatly blocking all ICMP messages will prevent traces and >> > pings both in and out of your network. It will also effect certain >> > services... The best way to tailor this is to block everything and loosen >> > it up as necessary to keep things from breaking. >> >> It will also block useful things like source-quench. ICMP exists for a >> reason. > >Read the question again, people. I believe I had read the question and that my response was applicable. Perhaps you should read the responses again? Blocking ICMP-redirects is definately advisable - I was suggesting that ICMP messages not be blocked on the whole. I appologize if my wording, or the wording of Daniel, is misleading... -Justin To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?001101be4265$88868540$02c3fe90>