Firewall Wizards mailing list archives
RE: Blocking ICMP with ipchains
From: "Ryan Russell" <Ryan.Russell () sybase com>
Date: Sun, 16 Jan 2000 19:12:58 -0800
How could blocking all ICMP cause a problem? I have worked with two rather large networks that blocked all ICMP at the router level. Were we just lucky not to have any problems?
I guess. That, or you didn't need the services that you ended up breaking. If you don't accept ICMP unreachables, traceroute won't work. For other standard ICMP unreachable stuff, you'll eventually time out instead of getting immediate notificiation. You'll also break MTU path discovery, which will prevent you from communicating with a number of sites. One that I've encountered of that sort that is popular is Hotmail. I'm only aware of Solaris machines having this on by default. These ICMP messages are particularly ugly, too, since they can legitmately come from any router between you and the host you're talking to, so there's no way to predict what IP address they'll come from; you have to let 'em all in. Ryan
Current thread:
- Blocking ICMP with ipchains wwebb (Jan 13)
- Re: Blocking ICMP with ipchains Mikael Olsson (Jan 15)
- Re: Blocking ICMP with ipchains Carric Dooley (Jan 16)
- <Possible follow-ups>
- RE: Blocking ICMP with ipchains peter . schawacker (Jan 16)
- RE: Blocking ICMP with ipchains Ryan Russell (Jan 17)
- Re: Blocking ICMP with ipchains Steven M. Bellovin (Jan 17)
- RE: Blocking ICMP with ipchains Richard . Smyth (Jan 17)
- RE: Blocking ICMP with ipchains Staggs, Michael (Jan 18)