ICMP Packets.

Bennett Todd bet@rahul.net
Thu, 4 Jun 1998 05:56:48 -0700

1998-06-03-16:20:28 Perry E. Metzger:
> I'm a firewall fascist -- I build the things to permit only those
> things I *know* to be needed, but ICMP is on that list. It makes sense 
> to block perhaps certain ICMP messages, but not *all* ICMP.

Does it make more sense to block certain ICMP messages, or to permit
certain ones? From what I've heard so far, you want to permit incoming
``whatever unreachables'', and you want to allow incoming ``must
fragment'' if any server in your DMZ is attempting path MTU discovery.
What else screws you up if you drop it? And is there any ICMP that you
urgently need to allow out? What are the message types you need to pass
to not be a good site for SYN attacks to forge from?