On Sun, 2004-10-17 at 15:46, Cedric Blancher wrote: > Le dim 17/10/2004 à 22:21, James Edwards a écrit : > > So, blocking ***all*** ICMP ***types*** is bad but you can block some > > ***types*** without getting into trouble. Till you understand that all > > the types do in relation to networking I would leave the alone. > > Nowadays, using a decent stateful firewall allows one to get rid of ICMP > filtering by associating ICMP errors to existing connections. As an > example, when filtering using Netfilter, ICMP errors triggered by known > IP connections are recognized as such (i.e. RELATED state) and thus can > be filtered in a different way unsollicited ones (i.e. INVALID state) > are. > > This kind of feature allows one not to block valid ICMP stuff and keep > away from direct ICMP solicitations you can filter the way you want. > > My 0.02�... That is great till you want to run a server behind that firewall. The bigger picture, to me, is you gain little in security by blocking ICMP. j
Attachment:
signature.asc
Description: This is a digitally signed message part