[prev in list] [next in list] [prev in thread] [next in thread] 

List:       freebsd-security
Subject:    Re: Small Servers - ICMP Redirect
From:       Nate Williams <nate () mt ! sri ! com>
Date:       1999-01-18 15:11:06
[Download RAW message or body]

>>     ICMP is definitely not just a diagnostic tool, and it is put to
>>     good use in a properly configured network.  For example, Path MTU
>>     Discovery uses ICMP ( RFC 1191 ).  ICMP is not something you want
>>     to arbitrarily filter.  At the very least you want to let through
>>     the various unreachability messages.
> 

> Nothing is broken by not getting host unreachable messages.  Nothing
> breaks by not permitting traceroutes (port unreachable et al).  Sure,
> path MTU discovery according to RFC1191 is nice, but not vital.

Hmm, you really don't have a clue, do you?  If you break path MTU
discovery in your LAN, then you won't get any data to it.  Assuming you
want to be on the internet, then getting packets is kind of vital.

See a recent set of posting I started around the middle of December last
year on hackers on why path MTU discovery working is important.



Nate

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message

[prev in list] [next in list] [prev in thread] [next in thread] 

Configure | About | News | Add a list | Sponsored by KoreLogic