From owner-freebsd-security Sun Jan 17 16:31:09 1999 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id QAA01027 for freebsd-security-outgoing; Sun, 17 Jan 1999 16:31:09 -0800 (PST) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from apollo.backplane.com (apollo.backplane.com [209.157.86.2]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id QAA01019 for ; Sun, 17 Jan 1999 16:31:06 -0800 (PST) (envelope-from dillon@apollo.backplane.com) Received: (from dillon@localhost) by apollo.backplane.com (8.9.1/8.9.1) id QAA54407; Sun, 17 Jan 1999 16:30:56 -0800 (PST) (envelope-from dillon) Date: Sun, 17 Jan 1999 16:30:56 -0800 (PST) From: Matthew Dillon Message-Id: <199901180030.QAA54407@apollo.backplane.com> To: Christian Kuhtz Cc: "Daniel O'Callaghan" , Justin Wolf , ben@rosengart.com, "N. N.M" , freebsd-security@FreeBSD.ORG Subject: Re: Small Servers - ICMP Redirect References: <007701be4256$f01ff740$02c3fe90@cisco.com> <19990117185047.A97318@oreo.adsu.bellsouth.com> Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org :With all due respect, ICMP source quenches are in my experience not a regular :occurance (even though it'd be nice to get them more frequently) and even if :they occur, most stacks don't know how to deal with it correctly. : :ICMP is primarily a diagnostic tool. In a properly configured network, ICMP :is not neccessary. Again, loosen your configs as needed. A lack of ICMP :in a properly configured network is irritating at best, but not life :threatening. : :Cheers, :Chris ICMP is definitely not just a diagnostic tool, and it is put to good use in a properly configured network. For example, Path MTU Discovery uses ICMP ( RFC 1191 ). ICMP is not something you want to arbitrarily filter. At the very least you want to let through the various unreachability messages. -Matt Matthew Dillon To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message