1 |
On Fri, Jan 09, 2004 at 05:36:51PM +1100, Mark Hurst wrote: |
2 |
> > Probably you think ICMP is dangerous too. There are a lot of brain dead |
3 |
> > admins who blocks ICMP packets and they wonder why connections to some |
4 |
> > websites are broken or if they administrate the packet filter before a |
5 |
> > webserver they wonder why some user grouches they wouldn't get a |
6 |
> > connection to the web server. |
7 |
> |
8 |
> Ever heard of Smurf or Loki? |
9 |
> |
10 |
> If you allow all ICMP in you are indeed a brain-dead admin, in my opinion. |
11 |
> Sure, host unreachable, DF should be allowed in, but why should an |
12 |
> external host be able to send timestamp or subnet requests? |
13 |
|
14 |
There are several types of ICMP messages. Some of those you can happily |
15 |
discard (like timestamp requests) some you should discard (like |
16 |
redirect) and some you really want to let through (like unreachable). |
17 |
Others are subject to policy (echo request/reply, although in this case |
18 |
I suggest letting them pass, but put a rate limit on them to avoid easy |
19 |
DoS). |
20 |
|
21 |
Simply dropping all ICMP is stupid and will lead to problems, as ICMP is |
22 |
an integral part of the IP protocol suite. |
23 |
|
24 |
Regards, |
25 |
Alex. |
26 |
-- |
27 |
"Opportunity is missed by most people because it is dressed in overalls and |
28 |
looks like work." -- Thomas A. Edison |
29 |
|
30 |
-- |
31 |
gentoo-security@g.o mailing list |