From owner-freebsd-security Tue Aug 22 13:20:48 2000 Delivered-To: freebsd-security@freebsd.org Received: from jade.chc-chimes.com (jade.chc-chimes.com [216.28.46.6]) by hub.freebsd.org (Postfix) with ESMTP id D20EE37B424 for ; Tue, 22 Aug 2000 13:20:45 -0700 (PDT) Received: by jade.chc-chimes.com (Postfix, from userid 1001) id 66E8C1C6B; Tue, 22 Aug 2000 16:20:45 -0400 (EDT) Date: Tue, 22 Aug 2000 16:20:45 -0400 From: Bill Fumerola To: Lowell Gilbert Cc: freebsd-security@freeBSD.org Subject: Re: icmptypes Message-ID: <20000822162045.M57333@jade.chc-chimes.com> References: <20000821180351.H57333@jade.chc-chimes.com> <20000821181825.I57333@jade.chc-chimes.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 1.0i In-Reply-To: ; from lowell@world.std.com on Tue, Aug 22, 2000 at 11:17:25AM -0400 X-Operating-System: FreeBSD 3.3-STABLE i386 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Tue, Aug 22, 2000 at 11:17:25AM -0400, Lowell Gilbert wrote: > > If this is being used as a border firewall or some such, then I would > > certainly heed Rod's advice on being careful what to break. For a single > > machine, I'd be less worried. > > The gains, however, are fairly small. And some things *will* break. > At a very minimum, allow echo replies (possibly via stateful > tracking), dest unreachable, TTL exceeded, and header error. Respectfully, I'd say that the gains of doing funky things that break RFC are sometimes fairly large[1]. -- Bill Fumerola - Network Architect, BOFH / Chimes, Inc. billf@chimesnet.com / billf@FreeBSD.org 1. For machines that are under heavy attack. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message