Perry E. Metzger
Tue, 02 Jun 1998 16:00:59 -0400
"Don Kendrick" writes:
> Agreed on the Path MTU stuff in theory thought it really depends what kind
> of traffic is going between the internal and external nets. For one, I'd
> rather deny ICMP and suffer some on performance.
Do you understand the actual consequences here?
Someone trying to contact you is going to jack up their Path MTU and
NOT get an ICMP message back, so their packets to you are going to go
into space because they get frag'ed for really *loooong* periods of
time until blackhole detection kicks in. Is that REALLY what you want
for your network? Detecting the problem is going to be a bitch, too.
If you filter ICMPs, you're also setting yourself up as an ideal
network to have its IP addresses forged in someone's SYN flood attack
on an innocent third party. No "Unreachable" messages means the poor
victim is going to have to keep state for god knows how long while
replying to a nonexistant host/port on your LAN. You are guaranteed to
provide the bad guys with lots of fun.
I've never understood why blocking ICMP was going to make you more
secure in the first place. Lots of ICMP information is very valuable
in making protocols run smoothly. Sure, some of it can be dangerous if
it is misused, like redirects, but you should know what you are doing,
not blindly block the whole protocol.