List Archive: gentoo-security
Note: Due to technical difficulties, the Archives are currently not up to date.
provides an alternative service for most mailing lists.c.f. bug 424647
On Fri, Jan 09, 2004 at 05:36:51PM +1100, Mark Hurst wrote:
> > Probably you think ICMP is dangerous too. There are a lot of brain dead
> > admins who blocks ICMP packets and they wonder why connections to some
> > websites are broken or if they administrate the packet filter before a
> > webserver they wonder why some user grouches they wouldn't get a
> > connection to the web server.
> Ever heard of Smurf or Loki?
> If you allow all ICMP in you are indeed a brain-dead admin, in my opinion.
> Sure, host unreachable, DF should be allowed in, but why should an
> external host be able to send timestamp or subnet requests?
There are several types of ICMP messages. Some of those you can happily
discard (like timestamp requests) some you should discard (like
redirect) and some you really want to let through (like unreachable).
Others are subject to policy (echo request/reply, although in this case
I suggest letting them pass, but put a rate limit on them to avoid easy
Simply dropping all ICMP is stupid and will lead to problems, as ICMP is
an integral part of the IP protocol suite.
"Opportunity is missed by most people because it is dressed in overalls and
looks like work." -- Thomas A. Edison
email@example.com mailing list