Skip site navigation (1)Skip section navigation (2) 
Date:      Sun, 17 Jan 1999 18:50:47 -0500
From:      Christian Kuhtz <ck@adsu.bellsouth.com>
To:        "Daniel O'Callaghan" <danny@hilink.com.au>
Cc:        Justin Wolf <jjwolf@bleeding.com>, ben@rosengart.com, "N. N.M" <madrapour@hotmail.com>, freebsd-security@FreeBSD.ORG
Subject:   Re: Small Servers - ICMP Redirect
Message-ID:  <19990117185047.A97318@oreo.adsu.bellsouth.com>
In-Reply-To: <Pine.BSF.3.96.990118085344.15297A-100000@enya.clari.net.au>; from Daniel O'Callaghan on Mon, Jan 18, 1999 at 08:54:45AM %2B1100
References:  <007701be4256$f01ff740$02c3fe90@cisco.com> <Pine.BSF.3.96.990118085344.15297A-100000@enya.clari.net.au>
index | next in thread | previous in thread | raw e-mail 

On Mon, Jan 18, 1999 at 08:54:45AM +1100, Daniel O'Callaghan wrote:
> On Sun, 17 Jan 1999, Justin Wolf wrote:
> > Keep in mind that flatly blocking all ICMP messages will prevent traces and
> > pings both in and out of your network.  It will also effect certain
> > services...  The best way to tailor this is to block everything and loosen
> > it up as necessary to keep things from breaking.
> 
> It will also block useful things like source-quench.  ICMP exists for a
> reason.

With all due respect, ICMP source quenches are in my experience not a regular
occurance (even though it'd be nice to get them more frequently) and even if 
they occur, most stacks don't know how to deal with it correctly.

ICMP is primarily a diagnostic tool.  In a properly configured network, ICMP
is not neccessary.  Again, loosen your configs as needed.  A lack of ICMP
in a properly configured network is irritating at best, but not life 
threatening.

Cheers,
Chris

-- 
  "We are not bound by any concept, we are just bound to make any concept work 
   better than others."                                  --  Dr. Ferry Porsche

[Disclaimer: I speak for myself and my views are my own and not in any way to
             be construed as the views of BellSouth Corporation. ]

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message
help

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?19990117185047.A97318>