firewallspotting
Ilya Palagin
tux-4CS0UopE6WdBDgjK7y7TUQ at public.gmane.org
Mon Jan 3 07:14:06 UTC 2005
Robert Brockway wrote:
> On Fri, 31 Dec 2004, Tim Writer wrote:
> Ilya Palagin <tux-4CS0UopE6WdBDgjK7y7TUQ at public.gmane.org> writes:
>
>>> Allowing those ICMP types is definitely a good networking style, but
>>> is not
>>> absolutely necessary.
>>
>>
>> To me, that's like saying driving on the right (in North America), is
>> good
>> style but not absolutely necessary. As long as there are no cars heading
>> your way, you can drive on the wrong side of the road as much as you
>> like but
>> you'll be pretty sorry when traffic patterns change.
>
>
> I'm with Tim 100%. Avoiding blocking certain ICMP types in and out is
> essential for the proper functioning of a network.
>
Tim is totally right, except for his comparison roads in North America
and Internet. Road
traffic is a well organized and controlled flow, while Internet is some
kind of Caribbean sea a while ago.
Source quench, for instance, can be a used for a an effective DoS attack.
Blocking ICMP traffic through the firewall is one of common security
measures. It's much easier
to reconfigure a firewall when ICMP is needed, then explaining
users/clients why their network was
down.
--
The Toronto Linux Users Group. Meetings: http://tlug.ss.org
TLUG requests: Linux topics, No HTML, wrap text below 80 columns
How to UNSUBSCRIBE: http://tlug.ss.org/subscribe.shtml
More information about the Legacy
mailing list