From owner-freebsd-security Thu Mar 22 17:32:58 2001 Delivered-To: freebsd-security@freebsd.org Received: from cs4.cs.ait.ac.th (cs4.cs.ait.ac.th [192.41.170.16]) by hub.freebsd.org (Postfix) with ESMTP id D870037B71B for ; Thu, 22 Mar 2001 17:32:53 -0800 (PST) (envelope-from on@cs.ait.ac.th) Received: from banyan.cs.ait.ac.th (on@banyan.cs.ait.ac.th [192.41.170.5]) by cs4.cs.ait.ac.th (8.9.3/8.9.3) with ESMTP id IAA25667 for ; Fri, 23 Mar 2001 08:32:19 +0700 (GMT+0700) Received: (from on@localhost) by banyan.cs.ait.ac.th (8.8.5/8.8.5) id IAA07082; Fri, 23 Mar 2001 08:32:50 +0700 (ICT) Date: Fri, 23 Mar 2001 08:32:50 +0700 (ICT) Message-Id: <200103230132.IAA07082@banyan.cs.ait.ac.th> X-Authentication-Warning: banyan.cs.ait.ac.th: on set sender to on@banyan.cs.ait.ac.th using -f From: Olivier Nicole Cc: freebsd-security@FreeBSD.ORG In-reply-to: Subject: Re: DoS attack - advice needed References: Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org >I filter ICMP, at my router, too. I only allow incomming ICMP from source >ports 0, 3 & 11 and I allow all outgoing ICMP. I just do it to help security >not as a stop-gap measure. To get back on the original poster's questions, Why not filtering the same outgoing ports as the incoming ones? That would help the global Internet security/performance, by making sure no attack can be launched from your network. As about why ICMP is needed, basics tools used by network people are based on ICMP. As long as you are connected to only one provider, that is OK, but if not, then you DO need traceroute... If only to know where your packets are going and if they are going in the right direction. Olivier To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message