 |
 |
Articles / TULARC / Security / comp.security.unix / |  |
|
|
||||
|
|
|||
|
|
|||
|
||||
|
|
||||
|
   |
|
||
|
17 Should I block all ICMP at my firewall/router? |
|
||
|
||||
|
|
|
||
|
||||
|
|
Articles / TULARC / Security / comp.security.unix / | |
|
|
||||
|
|
|||
|
|
|||
|
||||
|
|
||||
|
|
|
||
|
17 Should I block all ICMP at my firewall/router? |
|
||
|
||||
|
|
|
||
|
||||
|
|
|
|
||
|
||
|
|
|
|
||
|
|
||
|
||
|
|
|
|
||
|
||
This article is from the comp.security.unix and comp.security.misc FAQ, by Alan J Rosenthal flaps@dgp.toronto.edu with numerous contributions by others.
No. You need to allow the "can't fragment" message through or you will lose
connectivity to some number of sites with wacky packet sizes on their local
nets (notably token ring). See http://www.worldgate.com/~marcs/mtu/
Less crucially but still somewhat important, if you block the "destination
unreachable" message then you'll get timeouts, after a long wait, in some
cases when you could have received immediate "no route to host" messages.
But blocking some of the rest might not be a bad idea, especially "redirect".
Continue to:
|
|
|
|
 |
|