On Sun, May 25, 2003 at 09:56:07PM +0800, Hanz wrote: > In setting up a firewall will there be any negative side effects if i > block icmp? Are there any services that depends on this? In my setup > ill be running mail and web server in a DMZ. Certain network information is transported via ICMP. If there is an MTU bottleneck along the path and you block ICMP, the client may not be able to get his mail (actually, any traffic at all) unless he lowers the MTU himself. gmx.[net|de] does this, and one has to set up a firewall rule to explicitly set the MTU to 1450 when negotiating a connection. Simply setting an MTU on the outgoing client interface is not sufficient in this special case. So, yes, there might very well be negative side effects, and to be honest, I can't think of a good reason for blocking ICMP altogether. With enough trace tools out there which don't rely on ICMP, the measure is useless for purposes of hardening a system, and serves only as a nuisance. May be a RFC violation too, I didn't check. HTH, HAND Nick -- x----------------------------------------------------------------------x | The greatest woes of the programmer? | | Serotonine deficiency, caffeine deprivation and the | | unbearable roar of the birds. | |----------------------------------------------------------------------| | Nicolas Kratz <nick@ikarus.dyndns.org> <n_kratz@cs.uni-frankfurt.de> | x----------------------------------------------------------------------x
Attachment:
pgpmw5YfK1pQY.pgp
Description: PGP signature