[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: ICMP drop.

On Thu, 09 Oct 2003, Rudi Starcevic wrote:
> I'm trying to drop all icmp/ping packets on my Debian box in the US.
> I'm in Australia.

This is a stunningly bad idea, I fear to say. If you drop ICMP
'fragmentation needed', you become a PMTU discovery black hole.

This *will* make your life miserable, as you suddenly can't connect to,
or be connected to from, a large proportion of systems.

That said, what others have mentioned is true -- snort will see packets
that your firewall drops.


To be nobody-but-yourself -- in a world which is doing its best night and day,
to make you everybody else -- means to fight the hardest battle which any
human being can fight; and never stop fighting. 
        -- e.e. cummings

Reply to: