From owner-freebsd-security Tue Aug 22 14:29: 7 2000 Delivered-To: freebsd-security@freebsd.org Received: from ibb0021.ibb.uu.nl (ibb0021.ibb.uu.nl [131.211.124.21]) by hub.freebsd.org (Postfix) with ESMTP id C450A37B43C for ; Tue, 22 Aug 2000 14:29:04 -0700 (PDT) Received: by ibb0021.ibb.uu.nl (Postfix) id E574F7B1; Tue, 22 Aug 2000 23:28:21 +0200 (CEST) Date: Tue, 22 Aug 2000 23:28:21 +0200 From: Mipam To: Lowell Gilbert Cc: freebsd-security@FreeBSD.ORG Subject: Re: icmptypes Message-ID: <20000822232821.D633@ibb0021.ibb.uu.nl> Reply-To: mipam@ibb.net References: <20000821180351.H57333@jade.chc-chimes.com> <20000821181825.I57333@jade.chc-chimes.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: ; from lowell@world.std.com on Tue, Aug 22, 2000 at 11:17:25AM -0400 X-Obviously: All email clients suck. Only Mutt sucks less! X-Editor: Vi X-Operating-System: BSD Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org > Dropping packets is never a violation of the protocol spec. Returning > ICMP "unreachable" errors in response to other ICMP packets would be. > This is an important distinction. [It's also what Rodney Grimes > actually said.] > Hmmm, Normally when you ping for example a host on another network which isnt up, the router in between wil return icmp unreach to you. However, When you return an icmp unreach with source ip from the host which is supposed to be down, it's a little bit strange indeed :) And indeed, blocking all icmp types is far from optimal. Some choose to do so and take the inconveniences which come with it, personally i dont. But then again, some also choose to deny all packets with any ip option in it, causing problems for traceroute and such. So, it's also a bit personal choice. Same with fragmented packets. Of course, when reply's are given which are a violation to the protocol specs, then it's bad. Bye, Mipam. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message