Date: Tue, 19 Jan 1999 00:09:02 -0500 From: Jared Mauch <jared@puck.nether.net> To: Christian Kuhtz <ck@adsu.bellsouth.com> Cc: security@FreeBSD.ORG Subject: Re: icmp Message-ID: <19990119000902.A11438@puck.nether.net> In-Reply-To: <19990118230751.D5878@oreo.adsu.bellsouth.com>; from Christian Kuhtz on Mon, Jan 18, 1999 at 11:07:51PM -0500 References: <19990118230751.D5878@oreo.adsu.bellsouth.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On Mon, Jan 18, 1999 at 11:07:51PM -0500, Christian Kuhtz wrote: > > Nate, et al, > > You are right. If PMTU Discovery actually occurs, filtering ICMP unreachable- > need frag does break things. Mea culpa. > > I had never seen it do that and based on that falsely concluded that it > wouldn't be affected, since one almost always got away with it (thanks to > widespread Ethernet). Learned a lot about ICMP processing in BSD while > reading the sources, though ;). Do not fear, this is a common mistake actually, the problem is that it becomes too common. People use filtering icmp as a hack fix in cases to drop traffic that could be DoS or otherwise unrelated. I remember several years ago getting icmp redirects sent halfway across the world from broken routers, and attempted to do a great deal of work to get people to fix them :) What is good is not telling people that "you're an idiot, that breaks stuff", but taking the time to explain why and how it can, and help educate and require your vendors (both in the Free software community, and in the Commerical megabucks world) to comply to them once you've learned why and how these things are in place. We were all without clue once, lets help :) - jared -- Jared Mauch | pgp key available via finger from jared@puck.nether.net clue++; | http://puck.nether.net/~jared/ My statements are only mine. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?19990119000902.A11438>