Re: ICMP drop.

To: Rudi Starcevic <rudi@oasis.net.au>
Cc: debian-firewall@lists.debian.org
Subject: Re: ICMP drop.
From: Daniel Pittman <daniel@rimspace.net>
Date: Thu, 09 Oct 2003 17:19:41 +1000
Message-id: <[🔎] 87u16i27zm.fsf@enki.rimspace.net>
In-reply-to: <[🔎] 3F84FC06.4020701@oasis.net.au> (Rudi Starcevic's message of "Thu, 09 Oct 2003 16:11:18 +1000")
References: <[🔎] 3F84FC06.4020701@oasis.net.au>

On Thu, 09 Oct 2003, Rudi Starcevic wrote:
> I'm trying to drop all icmp/ping packets on my Debian box in the US.
> I'm in Australia.

This is a stunningly bad idea, I fear to say. If you drop ICMP
'fragmentation needed', you become a PMTU discovery black hole.

This *will* make your life miserable, as you suddenly can't connect to,
or be connected to from, a large proportion of systems.

That said, what others have mentioned is true -- snort will see packets
that your firewall drops.

     Daniel

-- 
To be nobody-but-yourself -- in a world which is doing its best night and day,
to make you everybody else -- means to fight the hardest battle which any
human being can fight; and never stop fighting. 
        -- e.e. cummings

Reply to:

Follow-Ups:
- Re: ICMP drop.
  - From: Josh Rollyson <jrollyson@2mbit.com>
- Re: ICMP drop.
  - From: Rudi Starcevic <rudi@oasis.net.au>

References:
- ICMP drop.
  - From: Rudi Starcevic <rudi@oasis.net.au>

Prev by Date: Re[2]: simple iptables rules
Next by Date: Re: ICMP drop.
Previous by thread: Re: ICMP drop.
Next by thread: Re: ICMP drop.
Index(es):
- Date
- Thread