[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Blocking icmp (was: What to return for AUTH tcp/113 requests?)

Freitag den 30.05.2003 um  1:59 CEST +0200, schrieb Daniel Pittman:
> On Thu, 29 May 2003, moseley@hank.org wrote:
> > I belive it's not good to just drop the auth (ident) requests -- IIRC
> > it makes mail clients delay.
> > 
> > So the question is how should they be rejected?
> > 
> >    reject-with icmp-port-unreachable
> > or
> >    reject-with tcp-reset
> I never encountered a problem with either IRC or mail when I rejected
> with ICMP prot administratively prohibited; that is also true. :)

More and more firewall admin block icmp, also in public accessible
networks. In Germany we have some trouble with a freemailer, who also
block icmp messages, so there is no path mtu negotiation possibel. Is'nt
really a good idea to block icmp. If you block parts of it and you have
reasons to do that ok, but most of them block icmp at all.

block ping - security by obscurity?
block broadcast ping - seems to be a good idea.
block router redirection - If there can only be one router on the other
                           end, block that.

Frank Matthieß                                               frankm@lug-owl.de

           Digital Restriction Managment - Freedom for industry.
                   Ross Anderson TCPA/Palladium FAQ

Reply to: