ICMP Packets.

matthew green mrg@eterna.com.au
Thu, 04 Jun 1998 17:11:54 +1000


hi folks.


i read this thread with a bit of interest (more than other threads :),
because it was surprised at the number of people advocating the "block
all icmp packets" approach.

perry says:
   IP is an end to end protocol. ICMP is an integral part of IP. If you
   allow IP through a network device, you have to allow ICMP to follow
   it.

this sums up everything i would really want to say about it.  if you
want to run IP, then you should use the IP protocols.  "i'm going to
block HTTP GET" -- blocking part of a protocol mostly leads to lossage
and pain.  i *used to* run my ppp MTU at something considerably lower
than 1500 but i've raised it back to 1500 because there were too many
sites with broken firewalls that were attempting to talk to my mail
server but were *not* receiving the ICMP need frag error my hosts were
sending, and thus the mail was *never* getting through.

if you really care about security such that you think blocking ICMP
messages is a good thing, _why_ don't you also block normal IP packets
as well?  as far as i can tell, normal IP packets can have more inherent
danger as their scope is (basically) infinite.  :-)


later,


.mrg.