firewallspotting

Tim Writer tim-s/rLXaiAEBtBDgjK7y7TUQ at public.gmane.org
Fri Dec 31 18:12:35 UTC 2004 

Ilya Palagin <tux-4CS0UopE6WdBDgjK7y7TUQ at public.gmane.org> writes:

> Tim Writer wrote:
> ...
> > You _must_ allow certain types of ICMP or you'll run into trouble.  In
> 
> > particular, types 4 (source quench), 11 (time to live exceeded), and 12
> > (parameter problem) should be allowed in both directions.  I also think you
> I don't believe one will run into trouble if ICMP is completely blocked on
> his side.

Blocked in which direction?  If you block source quench outbound, none of the
systems on your network will be able to tell a fast server to slow down.  If
you block source quench inbound, a slow system you are sending data to will
not be able to tell you to slow down.  The classic symptom of incorrectly
blocking ICMP is that you can ssh into a remote system and issue commands
that don't generate a lot of output without trouble but as soon as you issue
a command that generates a lot of output (ls in a large directory, less or
cat a large file, etc.) your connection freezes.

This type of problem can go unnoticed for a long time until, one day, your
ISP upgrades a router, installs a web cache, or some such.  Suddenly you need
flow control and you don't have it.

> Allowing those ICMP types is definitely a good networking style, but is not
> absolutely necessary.

To me, that's like saying driving on the right (in North America), is good
style but not absolutely necessary.  As long as there are no cars heading
your way, you can drive on the wrong side of the road as much as you like but
you'll be pretty sorry when traffic patterns change.

-- 
tim writer <tim-s/rLXaiAEBtBDgjK7y7TUQ at public.gmane.org>                                  starnix inc.
647.722.5301                                      toronto, ontario, canada
http://www.starnix.com              professional linux services & products
--
The Toronto Linux Users Group.      Meetings: http://tlug.ss.org
TLUG requests: Linux topics, No HTML, wrap text below 80 columns
How to UNSUBSCRIBE: http://tlug.ss.org/subscribe.shtml

More information about the Legacy mailing list