From owner-freebsd-security  Sun Jan 17 15:56:03 1999
Return-Path: <owner-freebsd-security@FreeBSD.ORG>
Received: (from majordom@localhost)
          by hub.freebsd.org (8.8.8/8.8.8) id PAA23586
          for freebsd-security-outgoing; Sun, 17 Jan 1999 15:56:03 -0800 (PST)
          (envelope-from owner-freebsd-security@FreeBSD.ORG)
Received: from oreo.adsu.bellsouth.com (oreo.adsu.bellsouth.com [205.152.173.36])
          by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id PAA23509
          for <freebsd-security@FreeBSD.ORG>; Sun, 17 Jan 1999 15:56:00 -0800 (PST)
          (envelope-from ck@oreo.adsu.bellsouth.com)
Received: (from ck@localhost)
	by oreo.adsu.bellsouth.com (8.9.1/8.9.1) id SAA97420;
	Sun, 17 Jan 1999 18:55:43 -0500 (EST)
	(envelope-from ck)
Date: Sun, 17 Jan 1999 18:55:43 -0500
From: Christian Kuhtz <ck@adsu.bellsouth.com>
To: Garrett Wollman <wollman@khavrinen.lcs.mit.edu>
Cc: "Daniel O'Callaghan" <danny@hilink.com.au>, freebsd-security@FreeBSD.ORG
Subject: Re: Small Servers - ICMP Redirect
Message-ID: <19990117185543.C97318@oreo.adsu.bellsouth.com>
References: <007701be4256$f01ff740$02c3fe90@cisco.com> <Pine.BSF.3.96.990118085344.15297A-100000@enya.clari.net.au> <199901172309.SAA09685@khavrinen.lcs.mit.edu>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
X-Mailer: Mutt 0.95i
In-Reply-To: <199901172309.SAA09685@khavrinen.lcs.mit.edu>; from Garrett Wollman on Sun, Jan 17, 1999 at 06:09:14PM -0500
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org

On Sun, Jan 17, 1999 at 06:09:14PM -0500, Garrett Wollman wrote:
> Actually, it will block useful things like `destination unreachable'
> and `fragmentation required'.  Source Quench is not useful -- just ask
> any router vendor.

Yep.  Like the frame-relay FECN/BECN.

> As a general rule, you should accept all UNREACHABLE, TIME EXCEEDED,
> and PARAMETER PROBLEM messages, might or might not accept ECHO
> REQUEST and ECHO RESPONSE, and should drop all others.

It should be pointed out, though, that nothing gets broken when those are 
blocked.  The rest is religion and should be discussed on

	firewalls@greatcircle.com

Thanks,
Chris

-- 
  "We are not bound by any concept, we are just bound to make any concept work 
   better than others."                                  --  Dr. Ferry Porsche

[Disclaimer: I speak for myself and my views are my own and not in any way to
             be construed as the views of BellSouth Corporation. ]

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message