From owner-freebsd-security Sun Jan 17 14:35:33 1999 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id OAA11545 for freebsd-security-outgoing; Sun, 17 Jan 1999 14:35:33 -0800 (PST) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from echonyc.com (echonyc.com [198.67.15.2]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id OAA11540 for ; Sun, 17 Jan 1999 14:35:32 -0800 (PST) (envelope-from benedict@echonyc.com) Received: from localhost by echonyc.com (8.9.1/8.9.1) with ESMTP id RAA02975; Sun, 17 Jan 1999 17:35:17 -0500 (EST) Date: Sun, 17 Jan 1999 17:35:16 -0500 (EST) From: Snob Art Genre Reply-To: ben@rosengart.com To: Justin Wolf cc: "Daniel O'Callaghan" , freebsd-security@FreeBSD.ORG, "N. N.M" Subject: Re: Small Servers - ICMP Redirect In-Reply-To: <001101be4265$88868540$02c3fe90@cisco.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Sun, 17 Jan 1999, Justin Wolf wrote: > I believe I had read the question and that my response was applicable. > Perhaps you should read the responses again? Blocking ICMP-redirects is > definately advisable - I was suggesting that ICMP messages not be blocked on > the whole. I appologize if my wording, or the wording of Daniel, is > misleading... The question only concerned redirects. You're correct that blocking all ICMP is harmful, but I don't believe the original poster was considering that policy. On further reflection, I have one thing to add: it seems to me that redirects sent to the firewall router itself may or may not be trusted, depending whom you're talking to, but keeping them from entering your network is a good idea. Ben "You have your mind on computers, it seems." To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message