From owner-freebsd-questions@FreeBSD.ORG Fri Jul 28 14:47:20 2006 Return-Path: X-Original-To: freebsd-questions@freebsd.org Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 8707E16A4DA for ; Fri, 28 Jul 2006 14:47:20 +0000 (UTC) (envelope-from cswiger@mac.com) Received: from pi.codefab.com (pi.codefab.com [199.103.21.227]) by mx1.FreeBSD.org (Postfix) with ESMTP id DD9E743D99 for ; Fri, 28 Jul 2006 14:47:05 +0000 (GMT) (envelope-from cswiger@mac.com) Received: from localhost (localhost [127.0.0.1]) by pi.codefab.com (Postfix) with ESMTP id 007855DAC; Fri, 28 Jul 2006 10:47:04 -0400 (EDT) X-Virus-Scanned: amavisd-new at codefab.com Received: from pi.codefab.com ([127.0.0.1]) by localhost (pi.codefab.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id IV3imaRtymSf; Fri, 28 Jul 2006 10:47:04 -0400 (EDT) Received: from [192.168.1.251] (pool-68-161-117-245.ny325.east.verizon.net [68.161.117.245]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by pi.codefab.com (Postfix) with ESMTP id A85C55C33; Fri, 28 Jul 2006 10:47:03 -0400 (EDT) Message-ID: <44CA2365.4040907@mac.com> Date: Fri, 28 Jul 2006 10:47:01 -0400 From: Chuck Swiger User-Agent: Thunderbird 1.5.0.4 (Windows/20060516) MIME-Version: 1.0 To: freebsd-questions@freebsd.org References: <20060728001202.W17979@ganymede.hub.org> <44CA0156.6000707@collaborativefusion.com> In-Reply-To: <44CA0156.6000707@collaborativefusion.com> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Cc: Bill Moran , User Freebsd Subject: Re: icmp packets - disabling via sysctl, or cisco switch ... ? X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 28 Jul 2006 14:47:20 -0000 Bill Moran wrote: > User Freebsd wrote: >> Two part question here ... >> >> first part ... is there a way of just disabling icmp by setting a >> sysctl, so that a server just doesn't respond to them? >> >> second part ... is there a way of telling a cisco switch to drop all >> icmp packets, preferrably to all but an exception list, but to >> everywhere works as well ... > > Sure, just uninstall TCP/IP. ICMP isn't needed unless you're using > TCP/IP. :-) I was going to express the same idea a bit more politely... Try running "tcpdump -nt icmp" and paying attention to what is going on; blocking all ICMP traffic on an internet router will completely break PMTU discovery and cause hatred and discontent for normal TCP/IP operations, too. -- -Chuck