* Gerhard Sittig wrote on Sat, May 27, 2000 at 11:09 +0200:
But looking at all the ICMP packet types one should at least block the redirect ones. And besides "dest unreach", "param prob", "source quench" and "time exceeded" everything else seems luxurious to pass through.
Do you know what happens to the payload of such packets? May the be used like in icmp echo request packets?
And *if* you have to enable echo reqs and replies, you better block icmp to the network and broadcast addresses (remember smurf, tfn and the other DoSes?).
BTW: if a firewall rejects echo request (with comm adm. prohibited), ordinary ping shows normal output, but of course even if the pinged host is down. Additionally it seems to be possible to block fragmentated ICMPs always, since usually those packets are very small, ain't? (Comments?) oki, Steffen -- Dieses Schreiben wurde maschinell erstellt, es trägt daher weder Unterschrift noch Siegel.