Zitat von Derick Anderson <danderson@xxxxxxxxx>:
I know that some networks just drop all ICMP to prevent traceroutes but recently I've been been seeing problems related to fragementation and MTU and wondering if dropping ICMP is causing some of that (since Fragementation Needed packets can't get through). On the flip side of that there's the Source Quench and Fragmentation Needed DoS attacks which have recently become mildly popular (I've gotten a few hits on Snort but not that many). I'd like to hear from the list what ICMP types firewall admins are allowing and why - what are the risks for allowing certain types vs. the risks of NOT allowing them? Thanks, Derick Anderson
We allow icmp type 8 (echo request) incoming against our firewall and all "related" and "established" icmp traffic, which should cover the MTU problem and should be save against blind spoofing.
Regards Andreas
