Blocking icmp (was: What to return for AUTH tcp/113 requests?)
Freitag den 30.05.2003 um 1:59 CEST +0200, schrieb Daniel Pittman:
> On Thu, 29 May 2003, moseley@hank.org wrote:
> > I belive it's not good to just drop the auth (ident) requests -- IIRC
> > it makes mail clients delay.
> >
> > So the question is how should they be rejected?
> >
> > reject-with icmp-port-unreachable
> > or
> > reject-with tcp-reset
>
> I never encountered a problem with either IRC or mail when I rejected
> with ICMP prot administratively prohibited; that is also true. :)
More and more firewall admin block icmp, also in public accessible
networks. In Germany we have some trouble with a freemailer, who also
block icmp messages, so there is no path mtu negotiation possibel. Is'nt
really a good idea to block icmp. If you block parts of it and you have
reasons to do that ok, but most of them block icmp at all.
block ping - security by obscurity?
block broadcast ping - seems to be a good idea.
block router redirection - If there can only be one router on the other
end, block that.
Frank.
--
Frank Matthieß frankm@lug-owl.de
Digital Restriction Managment - Freedom for industry.
Ross Anderson TCPA/Palladium FAQ
http://www.cl.cam.ac.uk/~rja14/tcpa-faq.html
http://moon.hipjoint.de/tcpa-palladium-faq-de.html
Reply to: