On Tue, Jul 11, 2000 at 01:12:30PM +0800, Ronneil Camara wrote:
> > -----Original Message-----
> > From: Network Operations [mailto:[EMAIL PROTECTED]]
> > Sent: Saturday, July 08, 2000 5:31 AM
> > To: [EMAIL PROTECTED]
> > Subject: Re: IP Spoofing
> >
> >
> > Why do you even want the "attackers" address? You shouldn't
> > allow ICMP traffic in through your firewall in the first place.
> >
> > If your network design is broken, don't blame people for
> > taking advantage of you. Thank them for pointing out your
> > weaknesses, fix your gear, and be done with it.
> Will http traffic still flow even if we block icmp traffic at the firewall?
Yes...
> Does http also use tcp?
Also? Http is a tcp protocol, so I guess so. I don't know of
anything else it uses.
> Are there any disadvantage when I block icmp traffic on my
> public/external interface?
Big time... If you block all ICMP you will break a thing called
MTU discovery which can hose up things seemingly at random. I tracked
several cases of people unable to browse my web server due to a hop which
failed to support MTU discovery and then something else broke when the
performance and fragmentation went in the dumper.
> How about advantage when we block icmp traffic on
> the public/external interface?
Well... Blocking ICMP ECHO and ICMP ECHO_REPLY cuts out a major
communication channel for DDoS zombies. Does that count? That's a
REALLY GOOD THING. :-)
> Thanks in advance. :-)
To do things right, you really want ICMP UNREACHABLE WOULD_FRAGMENT
to pass through in order to make MTU discovery work. Just about anything
else ICMP is a win to pitch in the dumper.
> Ron
Mike
--
Michael H. Warfield | (770) 985-6132 | [EMAIL PROTECTED]
(The Mad Wizard) | (770) 331-2437 | http://www.wittsend.com/mhw/
NIC whois: MHW9 | An optimist believes we live in the best of all
PGP Key: 0xDF1DD471 | possible worlds. A pessimist is sure of it!
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
