Re: ICMP drop.

To: Daniel Pittman <daniel@rimspace.net>
Cc: Rudi Starcevic <rudi@oasis.net.au>, debian-firewall@lists.debian.org
Subject: Re: ICMP drop.
From: Josh Rollyson <jrollyson@2mbit.com>
Date: Thu, 09 Oct 2003 03:47:15 -0400
Message-id: <[🔎] 3F851283.40608@2mbit.com>
In-reply-to: <[🔎] 87u16i27zm.fsf@enki.rimspace.net>
References: <[🔎] 3F84FC06.4020701@oasis.net.au> <[🔎] 87u16i27zm.fsf@enki.rimspace.net>

Daniel Pittman wrote:

This is a stunningly bad idea, I fear to say. If you drop ICMP
'fragmentation needed', you become a PMTU discovery black hole.

This *will* make your life miserable, as you suddenly can't connect to,
or be connected to from, a large proportion of systems.

Additionally, you make network troubleshooting much harder, and reallygain little in the way of security. Filter ICMP selectively, and userate limiting rather than filtering where possible.


-Josh

Reply to:

References:
- ICMP drop.
  - From: Rudi Starcevic <rudi@oasis.net.au>
- Re: ICMP drop.
  - From: Daniel Pittman <daniel@rimspace.net>

Prev by Date: Re: Re[2]: simple iptables rules
Next by Date: Re: ICMP drop.
Previous by thread: Re: ICMP drop.
Next by thread: Re: ICMP drop.
Index(es):
- Date
- Thread