On Friday 11 February 2005 18:27, Cedric Blancher wrote: > Le vendredi 11 février 2005 à 17:57 +0300, Mikhail Zotov a écrit : > > As far as I understand, it is safe to ACCEPT incoming > > packets of this sort. > > As far as they're RELATED, you can assume theses packets to be > legitimate ones. So, yes it is safe to accept them. It is also necessary > to accept them if you want your IP stack to detect errors and be > functionnal. As an example, if you drop Fragmentation Needed packets > (type 3, code 4), you'll break PMTU Discovery... > > > Is it safe to allow _outgoing_ packets of this kind? > > For the same reason, yes, and for the sake of the Internet, do it. Thanks a lot for your comprehensive answer! Thus, do I understand it correctly that I should and can safely accept _all_ RELATED ICMP messages, both incoming and outgoing? > I'm personnaly sick of theses dummy firewalls/admin who can't get ICMP > filtered correctly and break things, so you have to find workarounds all > the time. I get your point. Unfortunately, I have failed to find a clear explanation of proper dealing with ICMP packets. This mailing list was my last hope. :-) Regards, Mikhail
