From owner-freebsd-security Sun Jan 17 15:51:30 1999 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id PAA22755 for freebsd-security-outgoing; Sun, 17 Jan 1999 15:51:30 -0800 (PST) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from oreo.adsu.bellsouth.com (oreo.adsu.bellsouth.com [205.152.173.36]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id PAA22748 for ; Sun, 17 Jan 1999 15:51:28 -0800 (PST) (envelope-from ck@oreo.adsu.bellsouth.com) Received: (from ck@localhost) by oreo.adsu.bellsouth.com (8.9.1/8.9.1) id SAA97364; Sun, 17 Jan 1999 18:50:47 -0500 (EST) (envelope-from ck) Date: Sun, 17 Jan 1999 18:50:47 -0500 From: Christian Kuhtz To: "Daniel O'Callaghan" Cc: Justin Wolf , ben@rosengart.com, "N. N.M" , freebsd-security@FreeBSD.ORG Subject: Re: Small Servers - ICMP Redirect Message-ID: <19990117185047.A97318@oreo.adsu.bellsouth.com> References: <007701be4256$f01ff740$02c3fe90@cisco.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 0.95i In-Reply-To: ; from Daniel O'Callaghan on Mon, Jan 18, 1999 at 08:54:45AM +1100 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Mon, Jan 18, 1999 at 08:54:45AM +1100, Daniel O'Callaghan wrote: > On Sun, 17 Jan 1999, Justin Wolf wrote: > > Keep in mind that flatly blocking all ICMP messages will prevent traces and > > pings both in and out of your network. It will also effect certain > > services... The best way to tailor this is to block everything and loosen > > it up as necessary to keep things from breaking. > > It will also block useful things like source-quench. ICMP exists for a > reason. With all due respect, ICMP source quenches are in my experience not a regular occurance (even though it'd be nice to get them more frequently) and even if they occur, most stacks don't know how to deal with it correctly. ICMP is primarily a diagnostic tool. In a properly configured network, ICMP is not neccessary. Again, loosen your configs as needed. A lack of ICMP in a properly configured network is irritating at best, but not life threatening. Cheers, Chris -- "We are not bound by any concept, we are just bound to make any concept work better than others." -- Dr. Ferry Porsche [Disclaimer: I speak for myself and my views are my own and not in any way to be construed as the views of BellSouth Corporation. ] To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message