Re: Completely blocking icmp
From: Alan Strassberg (alan@internal.wj.com)
Date: 12/31/02
- Next message: Don Kelloway: "Re: Here's what."
- Previous message: RAV: "Re: I deleted svchost.exe from c:\winnt\system32"
- In reply to: Ken Palmateer: "Completely blocking icmp"
- Next in thread: Greg Hennessy: "Re: Completely blocking icmp"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: alan@internal.wj.com (Alan Strassberg) Date: 30 Dec 2002 21:11:20 -0800
In article <oho11vsbv2lfj8vb9rh9ckkm7b6jo5nk1m@4ax.com>,
Ken Palmateer <kpalmatr@sympatico.ca> wrote:
> Any opinions as to if blocking ICMP completely slows things down?
Yes. You will break PMTU (Path MTU) discovery and this
will cause problems for routers trying to negotiate packet
sizes. My preference is from the NSA Cisco Security Guide
(www.nsa.gov) ...
access-list 101 deny icmp any any echo
access-list 101 deny icmp any any redirect
access-list 101 deny icmp any any mask-request
access-list 101 permit icmp any any
Deny the abused ICMP, and allow the good ones. ICMP is a
good protocol, just gets bad press.
alan
- Next message: Don Kelloway: "Re: Here's what."
- Previous message: RAV: "Re: I deleted svchost.exe from c:\winnt\system32"
- In reply to: Ken Palmateer: "Completely blocking icmp"
- Next in thread: Greg Hennessy: "Re: Completely blocking icmp"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
