Firewall Wizards mailing list archives
RE: Blocking ICMP with ipchains
From: Richard.Smyth () nokia com
Date: Tue, 18 Jan 2000 03:07:41 +0200
You are breaking Path MTU Discovery by not allowing the "Fragmentation needed but 'Do not Fragment' bit set" ICMP message through. Solaris and NT both use PMTUD, as fragmentation is bad and should be avoided where possible. Another one to add to your list of necessary ICMPs, Carric. Regards, Richard Smyth
-----Original Message----- From: EXT peter.schawacker () citicorp com [mailto:peter.schawacker () citicorp com] Sent: Saturday, January 15, 2000 2:53 AM To: firewall-wizards () nfr net Subject: RE: Blocking ICMP with ipchains How could blocking all ICMP cause a problem? I have worked with two rather large networks that blocked all ICMP at the router level. Were we just lucky not to have any problems? -----Original Message----- From: wwebb [mailto:wwebb () adni net] Sent: Tuesday, January 11, 2000 7:19 PM To: firewall-wizards Cc: wwebb Subject: Blocking ICMP with ipchains I've heard that it is not wise to block all ICMP operations. Such being the case, which of these ICMP operations are safe to block without causing serious problems: echo-reply (pong) destination-unreachable network-unreachable host-unreachable protocol-unreachable port-unreachable fragmentation-needed source-route-failed network-unknown host-unknown network-prohibited host-prohibited TOS-network-unreachable TOS-host-unreachable communication-prohibited host-precedence-violation precedence-cutoff source-quench redirect network-redirect host-redirect TOS-network-redirect TOS-host-redirect echo-request (ping) router-advertisement router-solicitation time-exceeded (ttl-exceeded) ttl-zero-during-transit ttl-zero-during-reassembly parameter-problem ip-header-bad required-option-missing timestamp-request timestamp-reply address-mask-request address-mask-reply Thanks for any assistance.
Current thread:
- Blocking ICMP with ipchains wwebb (Jan 13)
- Re: Blocking ICMP with ipchains Mikael Olsson (Jan 15)
- Re: Blocking ICMP with ipchains Carric Dooley (Jan 16)
- <Possible follow-ups>
- RE: Blocking ICMP with ipchains peter . schawacker (Jan 16)
- RE: Blocking ICMP with ipchains Ryan Russell (Jan 17)
- Re: Blocking ICMP with ipchains Steven M. Bellovin (Jan 17)
- RE: Blocking ICMP with ipchains Richard . Smyth (Jan 17)
- RE: Blocking ICMP with ipchains Staggs, Michael (Jan 18)