From owner-freebsd-security Sun Jan 17 16:47:45 1999 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id QAA04045 for freebsd-security-outgoing; Sun, 17 Jan 1999 16:47:45 -0800 (PST) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from oreo.adsu.bellsouth.com (oreo.adsu.bellsouth.com [205.152.173.36]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id QAA04038 for ; Sun, 17 Jan 1999 16:47:43 -0800 (PST) (envelope-from ck@oreo.adsu.bellsouth.com) Received: (from ck@localhost) by oreo.adsu.bellsouth.com (8.9.1/8.9.1) id TAA97885; Sun, 17 Jan 1999 19:47:06 -0500 (EST) (envelope-from ck) Date: Sun, 17 Jan 1999 19:47:06 -0500 From: Christian Kuhtz To: Matthew Dillon Cc: Christian Kuhtz , "Daniel O'Callaghan" , Justin Wolf , ben@rosengart.com, "N. N.M" , freebsd-security@FreeBSD.ORG Subject: Re: Small Servers - ICMP Redirect Message-ID: <19990117194706.H97318@oreo.adsu.bellsouth.com> References: <007701be4256$f01ff740$02c3fe90@cisco.com> <19990117185047.A97318@oreo.adsu.bellsouth.com> <199901180030.QAA54407@apollo.backplane.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 0.95i In-Reply-To: <199901180030.QAA54407@apollo.backplane.com>; from Matthew Dillon on Sun, Jan 17, 1999 at 04:30:56PM -0800 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Sun, Jan 17, 1999 at 04:30:56PM -0800, Matthew Dillon wrote: > ICMP is definitely not just a diagnostic tool, and it is put to good use > in a properly configured network. For example, Path MTU Discovery > uses ICMP ( RFC 1191 ). ICMP is not something you want to arbitrarily > filter. At the very least you want to let through the various > unreachability messages. #ifndef _RUNAWAY_-CURRENT_THREAD Nothing is broken by not getting host unreachable messages. Nothing breaks by not permitting traceroutes (port unreachable et al). Sure, path MTU discovery according to RFC1191 is nice, but not vital. Argueably, there are other much bigger bottlenecks over WANs (at the edge of which firewalls are typically used) than suboptimal MRUs. Many service providers filter and/or rate limit ICMP messages (to prevent SMURF amplification et al to cause havoc to their infrastructures). To build applications which _rely exclusively_ on ICMP to work is close to grossly negligent. Those that do are primarily diagnostic applications. I didn't say ICMP is an optional component of IP. This was in the context of firewalls. Some schools of firewall design insist that only absolutely required traffic pass the firewall. As such, turning ICMP off at the firewall is perhaps not the prettiest or whatever way to do it, but it certainly prevents the various exploits based on ICMP. #endif /* _RUNAWAY_-CURRENT_THREAD */ There is no such thing as a free lunch. Security doesn't come without a price. In fact, I am required to trade slight performance and convenience for security. And so are many others. That is where the question and my response originated. If you aren't part of that group... use IP to the fullest and ignore this thread. Cheers, Chris -- "We are not bound by any concept, we are just bound to make any concept work better than others." -- Dr. Ferry Porsche [Disclaimer: I speak for myself and my views are my own and not in any way to be construed as the views of BellSouth Corporation. ] To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message