From owner-freebsd-security  Mon Jan 18 01:09:39 1999
Return-Path: <owner-freebsd-security@FreeBSD.ORG>
Received: (from majordom@localhost)
          by hub.freebsd.org (8.8.8/8.8.8) id BAA13758
          for freebsd-security-outgoing; Mon, 18 Jan 1999 01:09:39 -0800 (PST)
          (envelope-from owner-freebsd-security@FreeBSD.ORG)
Received: from cheops.anu.edu.au (cheops.anu.edu.au [150.203.149.24])
          by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id BAA13753
          for <freebsd-security@FreeBSD.ORG>; Mon, 18 Jan 1999 01:09:35 -0800 (PST)
          (envelope-from avalon@cheops.anu.edu.au)
Received: (from avalon@localhost)
	by cheops.anu.edu.au (8.9.1/8.9.1) id UAA02014;
	Mon, 18 Jan 1999 20:08:34 +1100 (EDT)
From: Darren Reed <avalon@coombs.anu.edu.au>
Message-Id: <199901180908.UAA02014@cheops.anu.edu.au>
Subject: Re: Small Servers - ICMP Redirect
To: ck@adsu.bellsouth.com (Christian Kuhtz)
Date: Mon, 18 Jan 1999 20:08:33 +1100 (EDT)
Cc: dillon@apollo.backplane.com, ck@adsu.bellsouth.com, danny@hilink.com.au,
        jjwolf@bleeding.com, ben@rosengart.com, madrapour@hotmail.com,
        freebsd-security@FreeBSD.ORG
In-Reply-To: <19990117194706.H97318@oreo.adsu.bellsouth.com> from "Christian Kuhtz" at Jan 17, 99 07:47:06 pm
X-Mailer: ELM [version 2.4 PL23]
Content-Type: text
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org

In some mail from Christian Kuhtz, sie said:
[...]
> Nothing is broken by not getting host unreachable messages.  Nothing breaks
> by not permitting traceroutes (port unreachable et al).  Sure, path MTU
> discovery according to RFC1191 is nice, but not vital.  Argueably, there are
> other much bigger bottlenecks over WANs (at the edge of which firewalls are
> typically used) than suboptimal MRUs.
[...]

Depends on how you define "broken".  If you don't mind waiting two minutes
for a TCP connection to report "connection timed out" when it could return
"network/host unreachable" then sure, stopping ICMP unreachables doesn't
break anything.  There's also a similar impact on DNS things which operate
over the WAN (squid's protocol, DNS, NTP, etc) which can return an error
that isn't "connection timed out".

Darren

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message