> -----Original Message-----
> From: Michael H. Warfield [mailto:[EMAIL PROTECTED]]
> Sent: Tuesday, July 11, 2000 1:01 PM
> To: Ronneil Camara
> Cc: [EMAIL PROTECTED]
> Subject: Re: IP Spoofing
>
>
> > Will http traffic still flow even if we block icmp traffic
> at the firewall?
>
> Yes...
>
> > Does http also use tcp?
>
> Also? Http is a tcp protocol, so I guess so. I don't know of
> anything else it uses.
I got it the other way around. How about UDP?
>
> > Are there any disadvantage when I block icmp traffic on my
> > public/external interface?
>
> Big time... If you block all ICMP you will break a thing called
> MTU discovery which can hose up things seemingly at random. I tracked
> several cases of people unable to browse my web server due to
> a hop which
> failed to support MTU discovery and then something else broke when the
> performance and fragmentation went in the dumper.
>
> > How about advantage when we block icmp traffic on
> > the public/external interface?
>
> Well... Blocking ICMP ECHO and ICMP ECHO_REPLY cuts out a major
> communication channel for DDoS zombies. Does that count? That's a
> REALLY GOOD THING. :-)
What's the equal port number for ICMP ECHO & ICMP ECHO_REPLY?
>
> > Thanks in advance. :-)
>
> To do things right, you really want ICMP UNREACHABLE
> WOULD_FRAGMENT
> to pass through in order to make MTU discovery work. Just
> about anything
> else ICMP is a win to pitch in the dumper.
> ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
I didn't get your last paragraph. :-(
Thanks.
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
