From owner-freebsd-security  Sun Jan 17 16:50:13 1999
Return-Path: <owner-freebsd-security@FreeBSD.ORG>
Received: (from majordom@localhost)
          by hub.freebsd.org (8.8.8/8.8.8) id QAA04454
          for freebsd-security-outgoing; Sun, 17 Jan 1999 16:50:13 -0800 (PST)
          (envelope-from owner-freebsd-security@FreeBSD.ORG)
Received: from wrath.cs.utah.edu (wrath.cs.utah.edu [155.99.198.100])
          by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id QAA04415
          for <freebsd-security@FreeBSD.ORG>; Sun, 17 Jan 1999 16:50:07 -0800 (PST)
          (envelope-from danderse@cs.utah.edu)
Received: from lal.cs.utah.edu (lal.cs.utah.edu [155.99.195.65])
	by wrath.cs.utah.edu (8.8.8/8.8.8) with ESMTP id RAA12959;
	Sun, 17 Jan 1999 17:50:02 -0700 (MST)
From: David G Andersen <danderse@cs.utah.edu>
Received: (from danderse@localhost)
	by lal.cs.utah.edu (8.8.8/8.8.8) id RAA16892;
	Sun, 17 Jan 1999 17:51:06 -0700 (MST)
Message-Id: <199901180051.RAA16892@lal.cs.utah.edu>
Subject: Re: Small Servers - ICMP Redirect
To: ck@adsu.bellsouth.com (Christian Kuhtz)
Date: Sun, 17 Jan 1999 17:51:06 -0700 (MST)
Cc: danny@hilink.com.au, jjwolf@bleeding.com, ben@rosengart.com,
        madrapour@hotmail.com, freebsd-security@FreeBSD.ORG
In-Reply-To: <19990117185047.A97318@oreo.adsu.bellsouth.com> from "Christian Kuhtz" at Jan 17, 99 06:50:47 pm
X-Mailer: ELM [version 2.4 PL25]
MIME-Version: 1.0
Content-Type: text/plain; charset=US-ASCII
Content-Transfer-Encoding: 7bit
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org

Lo and behold, Christian Kuhtz once said:
> 
> ICMP is primarily a diagnostic tool.  In a properly configured network, ICMP
> is not neccessary.  Again, loosen your configs as needed.  A lack of ICMP
> in a properly configured network is irritating at best, but not life 
> threatening.

  This is actually incorrect.  ICMP is an important part of path MTU
discovery (did I say important?  I meant critical).  You really don't want
to block ICMP_UNREACH_NEEDFRAG messages, because it *will* hurt your
performance. 

   That's ICMP type 3, subtype 4, for those of you counting.

   -Dave

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message