Date: Tue, 22 Aug 2000 16:20:45 -0400 From: Bill Fumerola <billf@chimesnet.com> To: Lowell Gilbert <lowell@world.std.com> Cc: freebsd-security@freeBSD.org Subject: Re: icmptypes Message-ID: <20000822162045.M57333@jade.chc-chimes.com> In-Reply-To: <rd6r97htjei.fsf@world.std.com>; from lowell@world.std.com on Tue, Aug 22, 2000 at 11:17:25AM -0400 References: <20000821180351.H57333@jade.chc-chimes.com> <20000821181825.I57333@jade.chc-chimes.com> <rd6r97htjei.fsf@world.std.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On Tue, Aug 22, 2000 at 11:17:25AM -0400, Lowell Gilbert wrote:
> > If this is being used as a border firewall or some such, then I would
> > certainly heed Rod's advice on being careful what to break. For a single
> > machine, I'd be less worried.
>
> The gains, however, are fairly small. And some things *will* break.
> At a very minimum, allow echo replies (possibly via stateful
> tracking), dest unreachable, TTL exceeded, and header error.
Respectfully, I'd say that the gains of doing funky things that
break RFC are sometimes fairly large[1].
--
Bill Fumerola - Network Architect, BOFH / Chimes, Inc.
billf@chimesnet.com / billf@FreeBSD.org
1. For machines that are under heavy attack.
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20000822162045.M57333>