Derick Anderson wrote:
I know that some networks just drop all ICMP to prevent traceroutes but
recently I've been been seeing problems related to fragementation and
MTU and wondering if dropping ICMP is causing some of that (since
Fragementation Needed packets can't get through). On the flip side of
that there's the Source Quench and Fragmentation Needed DoS attacks
which have recently become mildly popular (I've gotten a few hits on
Snort but not that many).
I'd like to hear from the list what ICMP types firewall admins are
allowing and why - what are the risks for allowing certain types vs. the
risks of NOT allowing them?
Thanks,
Derick Anderson
Hello,
I generally allow at least those 3 icmp types: 3,11,12 - to ensure
proper network functions.
refs: http://www.faqs.org/docs/iptables/icmptypes.html
regards,
Georgi Alexandrov
