firewallspotting

[Tim Writer]

Ilya Palagin <tux-4CS0UopE6WdBDgjK7y7TUQ at public.gmane.org> writes:

> Tim is totally right, except for his comparison roads in North America and
> Internet.  Road
> 
> traffic is a well organized and controlled flow, while Internet is some kind
> of Caribbean sea a while ago.
> 
> Source quench, for instance, can be a used for a an effective DoS attack.
> Blocking ICMP traffic through the firewall is one of common security
> measures.  It's much easier
> 
> to reconfigure a firewall when ICMP is needed, then explaining users/clients
> why their network was

Robert already answered this nicely but I'll just say one more thing.
Reconfiguring your firewall when it's discovered ICMP source quench is
necessary will likely require an on-site visit as you will be unable to
establish an _effective_ remote shell.  If the firewall's out of town, in
another country, or on another continent, your users/clients will be very
unhappy.

-- 
tim writer <tim-s/rLXaiAEBtBDgjK7y7TUQ at public.gmane.org>                                  starnix inc.
647.722.5301                                      toronto, ontario, canada
http://www.starnix.com              professional linux services & products
--
The Toronto Linux Users Group.      Meetings: http://tlug.ss.org
TLUG requests: Linux topics, No HTML, wrap text below 80 columns
How to UNSUBSCRIBE: http://tlug.ss.org/subscribe.shtml