Re: Path MTU (was: RE:)

To: debian-firewall@lists.debian.org
Subject: Re: Path MTU (was: RE:)
From: Mike Mestnik <cheako911@yahoo.com>
Date: Fri, 21 Jan 2005 14:15:18 -0800 (PST)
Message-id: <20050121221518.95464.qmail@web30503.mail.mud.yahoo.com>
In-reply-to: <41EDC23A.4080302@cox.net>

--- Phil Dyer <phil.dyer@cox.net> wrote:

> Mike Mestnik wrote:
> 
> >> I allow types 0, 3, 4, 8, 11, 12 on my corp net. echo/echo reply are
> >> worth their weight in troubleshooting. On my home net, I don't allow
> >> echo in, just to seem a little less visible on the net.
> >> 
> >> /phil
> >> 
> > This is a good first run, short and sweet.  However you should also be
> > aware of and block the trouble some ICMP msgs.
> 
> very true.
> > 
> > 1. Pings to bracast addresses(like 209.98.255.255), these can easily
> > generate hundreds of replys(pongs) AND be targeted at any host on the
> net.
> 
> Or better yet. Drop all broadcast traffic. Ingres, egres, tcp, udp,
> whatever. When it hits your border. Drop.
> 
> > 1a. Pings not originating fron it's own revers route, coming from
> somwhere
> > other then where the pong would be routed.
> 
> Also applies to more than icmp. Wrong interface? -- drop.
> 
There are some cases where companys and ISPs might allow this.  This is
needed for for multi path routing.  ISPs MUST accept traffic from other
sites to pass throught there system, boarder routing ect.  For systems
with more then one internet connection(multi path), pkts coming infrom the
wrong one is not a bad thing.

> > 2. Pongs above a given rate, count/minut/net is a good way togo if you
> > have hundreds or thousends of hosts.
> 
> absolutely!
> 
> > 3. Unreachables, your connection tracing fierwall should be able to
> mach
> > TCP windows and UDP data to varify authenticity.  (icmp --state
> RELATED
> > ACCEPT; ICMP unreach DROP)
> > 
> > There are many more but these are at the top of my list.  If we can
> get a
> > good list going I'd like to add this to the WiKi.  Also I'd be nice to
> > know  
> > which of the above are caught by --state INVALID.
> 
> -- 
> 
> +==========================
> + Phil Dyer
> + email: phil.dyer@cox.net
> +==========================
> 
> 
> 
> -- 
> To UNSUBSCRIBE, email to debian-firewall-REQUEST@lists.debian.org
> with a subject of "unsubscribe". Trouble? Contact
> listmaster@lists.debian.org
> 
> 



		
__________________________________ 
Do you Yahoo!? 
Yahoo! Mail - Easier than ever with enhanced search. Learn more.
http://info.mail.yahoo.com/mail_250

Reply to:

References:
- Re: Path MTU (was: RE:)
  - From: Phil Dyer <phil.dyer@cox.net>

Prev by Date: Duvida !!! porta 1027
Next by Date: Re: Path MTU (was: RE:)
Previous by thread: Re: Path MTU (was: RE:)
Next by thread: Re: your mail
Index(es):
- Date
- Thread