[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: blocking icmp...

On Sun, May 25, 2003 at 01:09:29PM -0400, Kevin McKinley wrote:
> On Sun, 25 May 2003 07:31:02 -0700
> Paul Johnson <baloo@ursine.dyndns.org> wrote:
> 
> > On Sun, May 25, 2003 at 09:56:07PM +0800, Hanz wrote: 
> > > In setting up a firewall will there be any negative side effects if
> > > i block icmp?
> > 
> > Well, other than it breaking the TCP/IP standard and making some
> > servers think you don't exist (some ping back), no.
> 
> How would declining to answer pings "break the TCP/IP standard"? That's like
> saying if you don't answer the telephone you're breaking the telephone
> standard.

It's anti-social and hamfisted. Some CPAN servers are blocking icmp now
and that makes it difficult to tell if they are even up. There are more
precise and reasonable means, using netfilter (iptables) to protect
against icmp DoS attacks. At the very least one shouldn't do something
that one doesn't want others to do. Set a good example and all that.

-- 
See my OpenPGP key at https://savannah.gnu.org/people/viewgpg.php?user_id=6050
GnuPG public key fingerprint  | "Only when efforts to reform society have as
 BD26 A5D8 D781 C96B 9936     |  their point of departure the reformation of
 310F 0573 A3D9 4E24 4EA6     |  the inner life -- human revolution -- will
they lead us with certainty to a world of lasting peace and true human security."
                                -- Daisaku Ikeda
Reply to: