In article <cistron.3960F2FD.DD88EE24@akp.dk>, Anders K. Pedersen <akp@akp.dk> wrote: >Glynn Clements wrote: >> Personally I suggest allowing the following ICMP types: >> >> 0 Echo Reply >> 3 Destination Unreachable >> 11 Time Exceeded >> 12 Parameter Problem >> >> and dropping the rest (you must allow ICMP type 3). > >Why must type 3 be allowed? >Wouldn't it make it harder to do portscans and similar things, if one drops all >outgoing "Destination Unreachable" packets? If you block Destination Unreachable, you also block all the type 3 subtypes: /* Codes for UNREACH. */ #define ICMP_NET_UNREACH 0 /* Network Unreachable */ #define ICMP_HOST_UNREACH 1 /* Host Unreachable */ #define ICMP_PROT_UNREACH 2 /* Protocol Unreachable */ #define ICMP_PORT_UNREACH 3 /* Port Unreachable */ #define ICMP_FRAG_NEEDED 4 /* Fragmentation Needed/DF set */ #define ICMP_SR_FAILED 5 /* Source Route failed */ #define ICMP_NET_UNKNOWN 6 #define ICMP_HOST_UNKNOWN 7 #define ICMP_HOST_ISOLATED 8 #define ICMP_NET_ANO 9 #define ICMP_HOST_ANO 10 #define ICMP_NET_UNR_TOS 11 #define ICMP_HOST_UNR_TOS 12 #define ICMP_PKT_FILTERED 13 /* Packet filtered */ #define ICMP_PREC_VIOLATION 14 /* Precedence violation */ #define ICMP_PREC_CUTOFF 15 /* Precedence cut off */ #define NR_ICMP_UNREACH 15 /* instead of hardcoding immediate value Especially ICMP_FRAG_NEEDED is essential for path mtu discovery - please read http://www.worldgate.com/~marcs/mtu/ for more understanding. Path MTU discovery is an integral part of the Internet. However, since M$ NT sends packets with DF on by default, many clueless firewall administrators block all ICMP, and a lot of layer4 load balancing switches are broken wrt sending ICMP_FRAG_NEEDED back to the source (like www.google.com!) nobody will notice one site more being severly broken. The "September that never ended" effect has extended to most network administrators as well, I guess. Oh well. Mike. - : send the line "unsubscribe linux-net" in the body of a message to majordomo@vger.rutgers.edu
