Firewall Wizards mailing list archives
Re: blocking icmp type 3
From: Alexander Schreiber <Alexander.Schreiber () Informatik TU-Chemnitz DE>
Date: Sat, 26 Aug 2000 00:34:04 +0200 (MET DST)
On Fri, 25 Aug 2000, Jan Stifter wrote:
hi gurus, recently, i blocked on a firewall box (3 ethernet interfaces, one to provider, one for private ip's, one for official) icmp almost completely. i allowed only incoming and outgoing icmp type 3 code 4 (fragmentation-needed), due to a paper describing the importance of this type of icmp-message (www.worldgate.com/~marcs/mtu/) it happened then, that there were "hangers" in the network, so that people from inside could not reach a site outside immediately. can anyone explain to me, what other icmp types i should allow to avoid any networking problems? if possible, i would like to block as many icmp types as possible.
You should also allow the different unreachable types (port/host/net) so your clients don't have to wait for timeouts if they try to access services that are not available. Regards, Alex. -- ------------------------------------------------------------------------------ EMail : als () thangorodrim de | WWW : http://www.thangorodrim.de/ "I think there's a world market for about five computers." -- attr. Thomas J. Watson (Chairman of the Board, IBM), 1943 _______________________________________________ Firewall-wizards mailing list Firewall-wizards () nfr net http://www.nfr.net/mailman/listinfo/firewall-wizards
Current thread:
- blocking icmp type 3 Jan Stifter (Aug 25)
- Re: blocking icmp type 3 Kimmo Suominen (Aug 26)
- Re: blocking icmp type 3 Alexander Schreiber (Aug 26)
- Re: blocking icmp type 3 Patrick Darden (Aug 26)
- RE: blocking icmp type 3 Ofir Arkin (Aug 26)
- Re: blocking icmp type 3 Gé Weijers (Aug 28)