Re: ICMP drop.
On Thu, 09 Oct 2003, Rudi Starcevic wrote:
> I'm trying to drop all icmp/ping packets on my Debian box in the US.
> I'm in Australia.
This is a stunningly bad idea, I fear to say. If you drop ICMP
'fragmentation needed', you become a PMTU discovery black hole.
This *will* make your life miserable, as you suddenly can't connect to,
or be connected to from, a large proportion of systems.
That said, what others have mentioned is true -- snort will see packets
that your firewall drops.
To be nobody-but-yourself -- in a world which is doing its best night and day,
to make you everybody else -- means to fight the hardest battle which any
human being can fight; and never stop fighting.
-- e.e. cummings
- ICMP drop.
- From: Rudi Starcevic <email@example.com>