From owner-freebsd-security Sun Jan 17 13:56:42 1999 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id NAA04845 for freebsd-security-outgoing; Sun, 17 Jan 1999 13:56:42 -0800 (PST) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from echonyc.com (echonyc.com [198.67.15.2]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id NAA04837 for ; Sun, 17 Jan 1999 13:56:38 -0800 (PST) (envelope-from benedict@echonyc.com) Received: from localhost by echonyc.com (8.9.1/8.9.1) with ESMTP id QAA17471; Sun, 17 Jan 1999 16:56:19 -0500 (EST) Date: Sun, 17 Jan 1999 16:56:19 -0500 (EST) From: Snob Art Genre Reply-To: ben@rosengart.com To: "Daniel O'Callaghan" cc: Justin Wolf , "N. N.M" , freebsd-security@FreeBSD.ORG Subject: Re: Small Servers - ICMP Redirect In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Mon, 18 Jan 1999, Daniel O'Callaghan wrote: > On Sun, 17 Jan 1999, Justin Wolf wrote: > > > >> 2) About ICMP redirect messages, as I learned they could be used to make > > >> our network disconnected and somthing. What's the way to prevent this > > >> kind of attack? Does blocking this kind of ICMP on firewall and routers > > >> cause any problem in connectivity and system behavior? > > > > > >I would block these messages from entering my network, absolutely. > > > > Keep in mind that flatly blocking all ICMP messages will prevent traces and > > pings both in and out of your network. It will also effect certain > > services... The best way to tailor this is to block everything and loosen > > it up as necessary to keep things from breaking. > > It will also block useful things like source-quench. ICMP exists for a > reason. Read the question again, people. Ben "You have your mind on computers, it seems." To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message