Firewall Wizards mailing list archives

Previous By Date Next
Previous By Thread Next

Re: ICMP Packets.

From: "Don Kendrick" <dkendrick () mindspring com>
Date: Tue, 2 Jun 1998 15:52:18 -0400
Agreed on the Path MTU stuff in theory thought it really depends what kind
of traffic is going between the internal and external nets. For one, I'd
rather deny ICMP and suffer some on performance.

Don

-----Original Message-----
From: Perry E. Metzger <perry () piermont com>
To: Don Kendrick <dkendrick () mindspring com>
Cc: Toddb <toddb () pacifier com>; firewall-wizards () nfr net
<firewall-wizards () nfr net>
Date: Tuesday, June 02, 1998 12:14 PM
Subject: Re: ICMP Packets.




"Don Kendrick" writes:

In the standard configuration of you, with a perimeter router, connected
point to point with an ISP's router; there's no reason I can think of
other than troubleshooting to allow ICMP packets to enter your
perimeter.


I think stopping ICMP is, in general, a very bad idea. Among other
things, you totally screw up Path MTU discovery, and you make it hard
to trace network problems. The Path MTU breakage is especially bad --
it will, among other things, impact your network performance.

Perry
Previous By Date Next
Previous By Thread Next

Current thread: