Date: Mon, 18 Jan 1999 08:11:06 -0700 From: Nate Williams <nate@mt.sri.com> To: Christian Kuhtz <ck@adsu.bellsouth.com> Cc: Matthew Dillon <dillon@apollo.backplane.com>, "Daniel O'Callaghan" <danny@hilink.com.au>, freebsd-security@FreeBSD.ORG Subject: Re: Small Servers - ICMP Redirect Message-ID: <199901181511.IAA26164@mt.sri.com> In-Reply-To: <19990117194706.H97318@oreo.adsu.bellsouth.com> References: <007701be4256$f01ff740$02c3fe90@cisco.com> <Pine.BSF.3.96.990118085344.15297A-100000@enya.clari.net.au> <19990117185047.A97318@oreo.adsu.bellsouth.com> <199901180030.QAA54407@apollo.backplane.com> <19990117194706.H97318@oreo.adsu.bellsouth.com>
next in thread | previous in thread | raw e-mail | index | archive | help
>> ICMP is definitely not just a diagnostic tool, and it is put to >> good use in a properly configured network. For example, Path MTU >> Discovery uses ICMP ( RFC 1191 ). ICMP is not something you want >> to arbitrarily filter. At the very least you want to let through >> the various unreachability messages. > > Nothing is broken by not getting host unreachable messages. Nothing > breaks by not permitting traceroutes (port unreachable et al). Sure, > path MTU discovery according to RFC1191 is nice, but not vital. Hmm, you really don't have a clue, do you? If you break path MTU discovery in your LAN, then you won't get any data to it. Assuming you want to be on the internet, then getting packets is kind of vital. See a recent set of posting I started around the middle of December last year on hackers on why path MTU discovery working is important. Nate To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?199901181511.IAA26164>