Re: ICMP types to allow - Georgi Alexandrov

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Georgi Alexandrov <georgi.alexandrov@gmail.com>
To: netfilter@lists.netfilter.org
Subject: Re: ICMP types to allow
Date: Wed, 21 Dec 2005 18:27:39 +0200	[thread overview]
Message-ID: <43A9827B.6010106@gmail.com> (raw)
In-Reply-To: <FAC4E024BF776842876169173CE2F01313B710@mailbox.vikus.com>

Derick Anderson wrote:

>I know that some networks just drop all ICMP to prevent traceroutes but
>recently I've been been seeing problems related to fragementation and
>MTU and wondering if dropping ICMP is causing some of that (since
>Fragementation Needed packets can't get through). On the flip side of
>that there's the Source Quench and Fragmentation Needed DoS attacks
>which have recently become mildly popular (I've gotten a few hits on
>Snort but not that many). 
>
>I'd like to hear from the list what ICMP types firewall admins are
>allowing and why - what are the risks for allowing certain types vs. the
>risks of NOT allowing them?
>
>Thanks,
>
>Derick Anderson
>
>
>  
>
Hello,

I generally allow at least those 3 icmp types: 3,11,12 - to ensure 
proper network functions.
refs: http://www.faqs.org/docs/iptables/icmptypes.html


regards,
Georgi Alexandrov

next prev parent reply	other threads:[~2005-12-21 16:27 UTC|newest]

Thread overview: 15+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2005-12-21 13:45 ICMP types to allow Derick Anderson
2005-12-21 14:16 ` lst_hoe01
2005-12-21 16:27 ` Georgi Alexandrov [this message]
2005-12-21 19:22 ` Cedric Blancher
2005-12-21 22:01   ` Chris Brenton
2005-12-22  0:32     ` René Pfeiffer
2006-01-03  7:33 ` Jan Engelhardt
  -- strict thread matches above, loose matches on Subject: below --
2005-12-21 16:31 Peter E. Fry
2005-12-21 18:36 Derick Anderson
2005-12-21 18:48 ` John A. Sullivan III
2005-12-22  0:29 ` René Pfeiffer
2005-12-22  2:08   ` Chris Brenton
2005-12-22 11:03     ` René Pfeiffer
2005-12-22  8:50   ` lst_hoe01
2005-12-21 19:12 Derick Anderson

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=43A9827B.6010106@gmail.com \
    --to=georgi.alexandrov@gmail.com \
    --cc=netfilter@lists.netfilter.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.