From owner-freebsd-security  Mon Jan 18 07:11:29 1999
Return-Path: <owner-freebsd-security@FreeBSD.ORG>
Received: (from majordom@localhost)
          by hub.freebsd.org (8.8.8/8.8.8) id HAA21470
          for freebsd-security-outgoing; Mon, 18 Jan 1999 07:11:29 -0800 (PST)
          (envelope-from owner-freebsd-security@FreeBSD.ORG)
Received: from ns.mt.sri.com (sri-gw.MT.net [206.127.105.141])
          by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id HAA21462
          for <freebsd-security@FreeBSD.ORG>; Mon, 18 Jan 1999 07:11:27 -0800 (PST)
          (envelope-from nate@mt.sri.com)
Received: from mt.sri.com (rocky.mt.sri.com [206.127.76.100])
	by ns.mt.sri.com (8.8.8/8.8.8) with SMTP id IAA24654;
	Mon, 18 Jan 1999 08:11:07 -0700 (MST)
	(envelope-from nate@rocky.mt.sri.com)
Received: by mt.sri.com (SMI-8.6/SMI-SVR4)
	id IAA26164; Mon, 18 Jan 1999 08:11:06 -0700
Date: Mon, 18 Jan 1999 08:11:06 -0700
Message-Id: <199901181511.IAA26164@mt.sri.com>
From: Nate Williams <nate@mt.sri.com>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
To: Christian Kuhtz <ck@adsu.bellsouth.com>
Cc: Matthew Dillon <dillon@apollo.backplane.com>,
        "Daniel O'Callaghan" <danny@hilink.com.au>,
        freebsd-security@FreeBSD.ORG
Subject: Re: Small Servers - ICMP Redirect
In-Reply-To: <19990117194706.H97318@oreo.adsu.bellsouth.com>
References: <007701be4256$f01ff740$02c3fe90@cisco.com>
	<Pine.BSF.3.96.990118085344.15297A-100000@enya.clari.net.au>
	<19990117185047.A97318@oreo.adsu.bellsouth.com>
	<199901180030.QAA54407@apollo.backplane.com>
	<19990117194706.H97318@oreo.adsu.bellsouth.com>
X-Mailer: VM 6.34 under 19.16 "Lille" XEmacs Lucid
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org

>>     ICMP is definitely not just a diagnostic tool, and it is put to
>>     good use in a properly configured network.  For example, Path MTU
>>     Discovery uses ICMP ( RFC 1191 ).  ICMP is not something you want
>>     to arbitrarily filter.  At the very least you want to let through
>>     the various unreachability messages.
> 

> Nothing is broken by not getting host unreachable messages.  Nothing
> breaks by not permitting traceroutes (port unreachable et al).  Sure,
> path MTU discovery according to RFC1191 is nice, but not vital.

Hmm, you really don't have a clue, do you?  If you break path MTU
discovery in your LAN, then you won't get any data to it.  Assuming you
want to be on the internet, then getting packets is kind of vital.

See a recent set of posting I started around the middle of December last
year on hackers on why path MTU discovery working is important.



Nate

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message