On Wed, Nov 28, 2001 at 06:17:27PM -0300, Kurt Seifried wrote:
No. No you must not. I have several machines blocking all ICMP, they work as servers and clients just fine. It's not the most polite thing to do, but then most people no longer run identd either.
-Kurt ----- Original Message ----- From: "Mauricio Latorre" <mlatorre@novared.cl>
Be careful! it's a REALLY BAD IDEA to block all the ICMP traffic!!! You MUST allow the traffic for destination-unreachable, port- unreachable, fragmentation-needed, time-exceeded, etc...
Ok, more in detail. If you know exactly, what is going on in your local network, you can block all icmp messages. But I prefer allowing icmp type 3 messages on local networks at minimum. If we are speaking of a gateway to other networks, i.e. the internet, you should at minimumg allow icmp type 3/code 4 messages (fragmentation needed but don't fragmentation bit set). A lot of firewalls outside are filtering this type of message, causing problems on path mtu discovery, especially in germany for ADSL users. wob -- <wob@swobspace.de> * http://www.swobspace.de * Linux is like a Wigwam: no Windows, no Gates, Apache inside. *