Date: Tue, 22 Aug 2000 23:28:21 +0200 From: Mipam <mipam@ibb.net> To: Lowell Gilbert <lowell@world.std.com> Cc: freebsd-security@FreeBSD.ORG Subject: Re: icmptypes Message-ID: <20000822232821.D633@ibb0021.ibb.uu.nl> In-Reply-To: <rd6r97htjei.fsf@world.std.com>; from lowell@world.std.com on Tue, Aug 22, 2000 at 11:17:25AM -0400 References: <20000821180351.H57333@jade.chc-chimes.com> <20000821181825.I57333@jade.chc-chimes.com> <rd6r97htjei.fsf@world.std.com>
next in thread | previous in thread | raw e-mail | index | archive | help
> Dropping packets is never a violation of the protocol spec. Returning > ICMP "unreachable" errors in response to other ICMP packets would be. > This is an important distinction. [It's also what Rodney Grimes > actually said.] > Hmmm, Normally when you ping for example a host on another network which isnt up, the router in between wil return icmp unreach to you. However, When you return an icmp unreach with source ip from the host which is supposed to be down, it's a little bit strange indeed :) And indeed, blocking all icmp types is far from optimal. Some choose to do so and take the inconveniences which come with it, personally i dont. But then again, some also choose to deny all packets with any ip option in it, causing problems for traceroute and such. So, it's also a bit personal choice. Same with fragmented packets. Of course, when reply's are given which are a violation to the protocol specs, then it's bad. Bye, Mipam. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20000822232821.D633>