Re: how to block ICMP tunneling? Deja vu? sorry...my last post had an error

["Don Kendrick" <don () netspys com>]

Sorry....below I said that I was "blocking unreachables, ttl-exceeded and
echo-reply inbound..." I meant to say I was blocking all icmp except those
listed...

Sorry for the confusion....


Don
-----Original Message-----
From: Don Kendrick <don () netspys com>
To: firewall <firewall-wizards () nfr net>
Date: Thursday, July 22, 1999 4:24 AM
Subject: Re: how to block ICMP tunneling? Deja vu?


> Didn't we just have this discussion last year :)
>
> I've been blocking unreachables, ttl-exceeded and echo-reply inbound at the
> border router and blocking everything else from passing thru the firewall
> for many years . All is allowed out from the external side of the house
> only...path MTU has never caused any problems that I'm aware of in our net.
>
> Aren't other routers between my net and the "rest of the world" responding
> to path MTU? Wouldn't it only be a factor if my path was smaller then any
> other between point A and B?
>
> btw...some one else suggested that it mattered if you have a token based
> network inside...I've got that as well.
>
>
> Don
>
>
> > If you do, you break Path MTU, which can disrupt communications to many
> > sites.