| 1 |
On Fri, Jan 09, 2004 at 05:36:51PM +1100, Mark Hurst wrote: |
| 2 |
> > Probably you think ICMP is dangerous too. There are a lot of brain dead |
| 3 |
> > admins who blocks ICMP packets and they wonder why connections to some |
| 4 |
> > websites are broken or if they administrate the packet filter before a |
| 5 |
> > webserver they wonder why some user grouches they wouldn't get a |
| 6 |
> > connection to the web server. |
| 7 |
> |
| 8 |
> Ever heard of Smurf or Loki? |
| 9 |
> |
| 10 |
> If you allow all ICMP in you are indeed a brain-dead admin, in my opinion. |
| 11 |
> Sure, host unreachable, DF should be allowed in, but why should an |
| 12 |
> external host be able to send timestamp or subnet requests? |
| 13 |
|
| 14 |
There are several types of ICMP messages. Some of those you can happily |
| 15 |
discard (like timestamp requests) some you should discard (like |
| 16 |
redirect) and some you really want to let through (like unreachable). |
| 17 |
Others are subject to policy (echo request/reply, although in this case |
| 18 |
I suggest letting them pass, but put a rate limit on them to avoid easy |
| 19 |
DoS). |
| 20 |
|
| 21 |
Simply dropping all ICMP is stupid and will lead to problems, as ICMP is |
| 22 |
an integral part of the IP protocol suite. |
| 23 |
|
| 24 |
Regards, |
| 25 |
Alex. |
| 26 |
-- |
| 27 |
"Opportunity is missed by most people because it is dressed in overalls and |
| 28 |
looks like work." -- Thomas A. Edison |
| 29 |
|
| 30 |
-- |
| 31 |
gentoo-security@g.o mailing list |
Archives