From owner-freebsd-security  Thu Mar 22  9:49:47 2001
Delivered-To: freebsd-security@freebsd.org
Received: from sasami.jurai.net (sasami.jurai.net [64.0.106.45])
	by hub.freebsd.org (Postfix) with ESMTP id C37B237B718
	for <freebsd-security@FreeBSD.ORG>; Thu, 22 Mar 2001 09:49:43 -0800 (PST)
	(envelope-from scanner@jurai.net)
Received: from localhost (scanner@localhost)
	by sasami.jurai.net (8.9.3/8.8.7) with ESMTP id MAA63155;
	Thu, 22 Mar 2001 12:49:39 -0500 (EST)
Date: Thu, 22 Mar 2001 12:49:38 -0500 (EST)
From: <scanner@jurai.net>
To: Chris Byrnes <chris@jeah.net>
Cc: Marc Rogers <marcr@shady.org>, freebsd-security@FreeBSD.ORG
Subject: Re: DoS attack - advice needed
In-Reply-To: <Pine.BSF.4.33.0103221121250.8421-100000@awww.jeah.net>
Message-ID: <Pine.BSF.4.21.0103221239120.62375-100000@sasami.jurai.net>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org

On Thu, 22 Mar 2001, Chris Byrnes wrote:

> > Do *NOT* block ICMP point blank at ALL. If you need to filter certain
> > type's and code's, fine. But NEVER slap an embargo on the entire ICMP
> > protocol. The mentality to do this blows me away every time I hear it
> > uttered from people.
> 
> Why?  If you have idiots running ping -f yourserver.com from 150 ISPs
> around the world, you're going to want to filter ICMP.  That's what I did
> awhile back.

Idiots is a subjective term. Anyway. Ill tell you why you can't just *flip
off* ICMP. It's an integral part of IP. http://users.worldgate.com/~marcs/mtu/
Alot of people need to take some "Protocol 101" classes. If you dont like
how ICMP works. I dont care. It's your broken network not mine. But the
fact is you can't filter the entire protocol without consequences. If you
choose to ignore said consequences well again it's your broken network not
mine. I dont care.

> And I haven't found a valid reason to re-enable it.

See Above URL.


=============================================================================
-Chris Watson         (316) 326-3862 | FreeBSD Consultant, FreeBSD Geek 
Work:              scanner@jurai.net | Open Systems Inc., Wellington, Kansas
Home:  scanner@deceptively.shady.org | http://open-systems.net
=============================================================================
WINDOWS: "Where do you want to go today?"
LINUX: "Where do you want to go tomorrow?"
BSD: "Are you guys coming or what?"
=============================================================================
irc.openprojects.net #FreeBSD -Join the revolution!
ICQ: 20016186


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message