Date: Mon, 18 Jan 1999 20:08:33 +1100 (EDT) From: Darren Reed <avalon@coombs.anu.edu.au> To: ck@adsu.bellsouth.com (Christian Kuhtz) Cc: dillon@apollo.backplane.com, ck@adsu.bellsouth.com, danny@hilink.com.au, jjwolf@bleeding.com, ben@rosengart.com, madrapour@hotmail.com, freebsd-security@FreeBSD.ORG Subject: Re: Small Servers - ICMP Redirect Message-ID: <199901180908.UAA02014@cheops.anu.edu.au> In-Reply-To: <19990117194706.H97318@oreo.adsu.bellsouth.com> from "Christian Kuhtz" at Jan 17, 99 07:47:06 pm
next in thread | previous in thread | raw e-mail | index | archive | help
In some mail from Christian Kuhtz, sie said: [...] > Nothing is broken by not getting host unreachable messages. Nothing breaks > by not permitting traceroutes (port unreachable et al). Sure, path MTU > discovery according to RFC1191 is nice, but not vital. Argueably, there are > other much bigger bottlenecks over WANs (at the edge of which firewalls are > typically used) than suboptimal MRUs. [...] Depends on how you define "broken". If you don't mind waiting two minutes for a TCP connection to report "connection timed out" when it could return "network/host unreachable" then sure, stopping ICMP unreachables doesn't break anything. There's also a similar impact on DNS things which operate over the WAN (squid's protocol, DNS, NTP, etc) which can return an error that isn't "connection timed out". Darren To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?199901180908.UAA02014>