From owner-freebsd-security Sun Jan 17 12:29:05 1999 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id MAA24506 for freebsd-security-outgoing; Sun, 17 Jan 1999 12:29:05 -0800 (PST) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from vital.bleeding.com (vital.bleeding.com [206.251.12.170]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id MAA24501 for ; Sun, 17 Jan 1999 12:29:04 -0800 (PST) (envelope-from jjwolf@bleeding.com) Received: from crimson ([144.254.195.2]) by vital.bleeding.com (8.8.8/8.8.8) with SMTP id MAA02925; Sun, 17 Jan 1999 12:37:09 -0800 (PST) (envelope-from jjwolf@bleeding.com) Message-ID: <007701be4256$f01ff740$02c3fe90@cisco.com> From: "Justin Wolf" To: , "N. N.M" Cc: Subject: Re: Small Servers - ICMP Redirect Date: Sun, 17 Jan 1999 12:20:45 -0800 MIME-Version: 1.0 Content-Type: text/plain; charset="Windows-1252" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.00.0810.800 X-MimeOLE: Produced By Microsoft MimeOLE V5.00.0810.800 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org >> 2) About ICMP redirect messages, as I learned they could be used to make >> our network disconnected and somthing. What's the way to prevent this >> kind of attack? Does blocking this kind of ICMP on firewall and routers >> cause any problem in connectivity and system behavior? > >I would block these messages from entering my network, absolutely. Keep in mind that flatly blocking all ICMP messages will prevent traces and pings both in and out of your network. It will also effect certain services... The best way to tailor this is to block everything and loosen it up as necessary to keep things from breaking. -Justin To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message