ICMP Packets.

tqbf@pobox.com tqbf@pobox.com
Thu, 4 Jun 1998 03:13:28 -0500 (CDT)


> If you are filtering datagrams that claim to come from your network 
> that originate externally, redirects are not an issue. They also can
> be individually filtered.

This assumes that devices on your network will not misbehave when they
receive a redirect message from an arbitrary host. Given that there is no
legitimate reason for a redirect message to pass through a packet filter,
and that the purpose of a packet filter is to limit network exposure to
vulnerable hosts, it seems like a poor idea to pass redirects.

-----------------------------------------------------------------------------
Thomas H. Ptacek	  The Company Formerly Known As Secure Networks, Inc.
-----------------------------------------------------------------------------
http://www.pobox.com/~tqbf	 "If you're so special, why aren't you dead?"