On Wed, Nov 28, 2001 at 06:17:27PM -0300, Kurt Seifried wrote:
No. No you must not. I have several machines blocking all ICMP, they work as servers and clients just fine. It's not the most polite thing to do, but then most people no longer run identd either.
-Kurt ----- Original Message ----- From: "Mauricio Latorre"
Be careful! it's a REALLY BAD IDEA to block all the ICMP traffic!!! You MUST allow the traffic for destination-unreachable, port- unreachable, fragmentation-needed, time-exceeded, etc...
Ok, more in detail. If you know exactly, what is going on in your local
network, you can block all icmp messages. But I prefer allowing icmp type 3
messages on local networks at minimum.
If we are speaking of a gateway to other networks, i.e. the internet, you
should at minimumg allow icmp type 3/code 4 messages (fragmentation
needed but don't fragmentation bit set).
A lot of firewalls outside are filtering this type of message, causing
problems on path mtu discovery, especially in germany for ADSL users.
wob
--