Re: Ok to let all ICMP traffic through firewall?

From: Dave Dowson (a031003${dd}.nospam_at_ddka.invalid)
Date: 09/23/05 

Date: Fri, 23 Sep 2005 21:43:04 +0100

On Fri, 23 Sep 2005 19:01:45 GMT, Leythos
<void@nowhere.lan> wrote:

> So, show me where our decision to not allow ICMP hurts our ability to
> provide the services we do, impacts our ability to use Internet
> services, or our ability to share information with our business
> partners, or stuff it.

How do you handle PMTU discovery - or do you prevent segments with the
DF bit set leaving your network, or do you mangle the headers and
remove the DF flag, or do you just accept that some sites on that
Internet may not be reachable from nodes on your network, or do you
rely on Windows rather inefficent "PMTU Blackhole discovery" feature
working ?

If you don't allow *any* inbound ICMP and don't implement effective
work arounds then you (or your network users) would have some problems
with all of my locally hosted servers - but then you don't have
access anyway, so you maybe you can live with the fact that your
implementation is broken ;-)

PS - You are not alone in your screwed up thinking - the company I
     used to work for adopted a similar policy, and it effectively
     caused all my VPN connections from work to home to fail. Easy
     to 'fix' since I controlled the 'home' end of the VPN, but not
     necessarily quite so easy to fix for an arbitary site on the
     Internet.

Relevant Pages

  • Re: How to get my 2 ethernet cards to work
    ... the wrong way round - usually eth0 will be to the internet, ... Then you had better fix that! ... really a network of yours or your providers. ... I might suspect the IP addresses are on the wrong cards. ...
    (comp.os.linux.networking)
  • Re: How to get my 2 ethernet cards to work
    ... If you have a cable modem that connects to an ethernet ... which connects to the internet. ... that with the almighty Linux, known to be a network OS, how could it ... > deeply wrong here and I need to fix it before taking a single step ...
    (comp.os.linux.networking)
  • Set up your Internet Address Wizard Issues
    ... I get an error message telling me to run the 'Fix my Network' wizard when I ... run the 'Set up my Internet Address' wizard. ...
    (microsoft.public.windows.server.sbs)
  • Re: OT but funny shit
    ... "If you are unable to access the network, internet or email please ... This should fix the problem." ... print off all the emails and send a car downtown with them." ...
    (rec.motorcycles.harley)
  • Re: OT but funny shit
    ... "If you are unable to access the network, internet or email please log ... This should fix the problem." ... can be amusing to those of us stuck in dark corners being expected to keep ...
    (rec.motorcycles.harley)