Date: Sun, 17 Jan 1999 18:55:43 -0500 From: Christian Kuhtz <ck@adsu.bellsouth.com> To: Garrett Wollman <wollman@khavrinen.lcs.mit.edu> Cc: "Daniel O'Callaghan" <danny@hilink.com.au>, freebsd-security@FreeBSD.ORG Subject: Re: Small Servers - ICMP Redirect Message-ID: <19990117185543.C97318@oreo.adsu.bellsouth.com> In-Reply-To: <199901172309.SAA09685@khavrinen.lcs.mit.edu>; from Garrett Wollman on Sun, Jan 17, 1999 at 06:09:14PM -0500 References: <007701be4256$f01ff740$02c3fe90@cisco.com> <Pine.BSF.3.96.990118085344.15297A-100000@enya.clari.net.au> <199901172309.SAA09685@khavrinen.lcs.mit.edu>
next in thread | previous in thread | raw e-mail | index | archive | help
On Sun, Jan 17, 1999 at 06:09:14PM -0500, Garrett Wollman wrote:
> Actually, it will block useful things like `destination unreachable'
> and `fragmentation required'. Source Quench is not useful -- just ask
> any router vendor.
Yep. Like the frame-relay FECN/BECN.
> As a general rule, you should accept all UNREACHABLE, TIME EXCEEDED,
> and PARAMETER PROBLEM messages, might or might not accept ECHO
> REQUEST and ECHO RESPONSE, and should drop all others.
It should be pointed out, though, that nothing gets broken when those are
blocked. The rest is religion and should be discussed on
firewalls@greatcircle.com
Thanks,
Chris
--
"We are not bound by any concept, we are just bound to make any concept work
better than others." -- Dr. Ferry Porsche
[Disclaimer: I speak for myself and my views are my own and not in any way to
be construed as the views of BellSouth Corporation. ]
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?19990117185543.C97318>