>From my understanding, no normal ICMP packet is above the standard Ethernet
MTU. Granted, if it's going over a slip connection it might. But it would
be a good idea to deny timestamp_request and addressmask_request from
untrusted hosts.
-----Original Message-----
From: Sorin Florea [mailto:[EMAIL PROTECTED]]
Sent: Friday, June 23, 2000 9:31 AM
To: [EMAIL PROTECTED]
Cc: [EMAIL PROTECTED]
Subject: Re: ICMP fragments.
I should have mentioned that I work for an ISP and I can't stop
echo requests.
If someone sends a ICMP pachet large enough I belive it will be
fragmented. While tcpdump-ing on one of my router's interface I sow
something like that but it stoped fast so I couldn't get "a closer look".
I supose it was the ending of a flood.
-------------------------
Sorin Florea
e-mail: [EMAIL PROTECTED]
Romania Data Systems
Constanta
-------------------------
On Fri, 23 Jun 2000 [EMAIL PROTECTED] wrote:
> On 23 Jun, Sorin Florea wrote:
> >
> > Is there any reason to let ICMP fragments pass trough my firewall?
> > I think ipchains with -f option will kill them but only begining
> > with the second.
> > I'm also blockin' ICMP protocol unreachable and port unreachable.
> > What other ICMP packets can I safely block?
> > Thanks.
> >
> > -------------------------
> > Sorin Florea
> > e-mail: [EMAIL PROTECTED]
> > Romania Data Systems
> > Constanta
> > -------------------------
> >
> >
> >
> > -
> > [To unsubscribe, send mail to [EMAIL PROTECTED] with
> > "unsubscribe firewalls" in the body of the message.]
> >
>
> ..... ICMP "fragments"? I wasn't aware they existed...
>
> You can block echo requests, timestamp requests, and address-mask
> requests. In fact, you _should_ block those.
>
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
