From owner-freebsd-security Sun Jan 17 13:55:25 1999 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id NAA04750 for freebsd-security-outgoing; Sun, 17 Jan 1999 13:55:25 -0800 (PST) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from enya.clari.net.au (enya.clari.net.au [203.8.14.116]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id NAA04745 for ; Sun, 17 Jan 1999 13:55:23 -0800 (PST) (envelope-from danny@enya.clari.net.au) Received: from localhost (danny@localhost) by enya.clari.net.au (8.8.8/8.8.7) with SMTP id IAA15305; Mon, 18 Jan 1999 08:54:45 +1100 (EST) (envelope-from danny@enya.clari.net.au) Date: Mon, 18 Jan 1999 08:54:45 +1100 (EST) From: "Daniel O'Callaghan" To: Justin Wolf cc: ben@rosengart.com, "N. N.M" , freebsd-security@FreeBSD.ORG Subject: Re: Small Servers - ICMP Redirect In-Reply-To: <007701be4256$f01ff740$02c3fe90@cisco.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Sun, 17 Jan 1999, Justin Wolf wrote: > >> 2) About ICMP redirect messages, as I learned they could be used to make > >> our network disconnected and somthing. What's the way to prevent this > >> kind of attack? Does blocking this kind of ICMP on firewall and routers > >> cause any problem in connectivity and system behavior? > > > >I would block these messages from entering my network, absolutely. > > Keep in mind that flatly blocking all ICMP messages will prevent traces and > pings both in and out of your network. It will also effect certain > services... The best way to tailor this is to block everything and loosen > it up as necessary to keep things from breaking. It will also block useful things like source-quench. ICMP exists for a reason. Danny To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message