Re: Path MTU (was: RE:)
Mike Mestnik wrote:
>> I allow types 0, 3, 4, 8, 11, 12 on my corp net. echo/echo reply are
>> worth their weight in troubleshooting. On my home net, I don't allow
>> echo in, just to seem a little less visible on the net.
> This is a good first run, short and sweet. However you should also be
> aware of and block the trouble some ICMP msgs.
> 1. Pings to bracast addresses(like 188.8.131.52), these can easily
> generate hundreds of replys(pongs) AND be targeted at any host on the net.
Or better yet. Drop all broadcast traffic. Ingres, egres, tcp, udp,
whatever. When it hits your border. Drop.
> 1a. Pings not originating fron it's own revers route, coming from somwhere
> other then where the pong would be routed.
Also applies to more than icmp. Wrong interface? -- drop.
> 2. Pongs above a given rate, count/minut/net is a good way togo if you
> have hundreds or thousends of hosts.
> 3. Unreachables, your connection tracing fierwall should be able to mach
> TCP windows and UDP data to varify authenticity. (icmp --state RELATED
> ACCEPT; ICMP unreach DROP)
> There are many more but these are at the top of my list. If we can get a
> good list going I'd like to add this to the WiKi. Also I'd be nice to
> which of the above are caught by --state INVALID.
+ Phil Dyer
+ email: firstname.lastname@example.org