Ian Smith <[email protected]> writes: > Dag-Erling Smørgrav <[email protected]> writes: > > Slight correction: dropping *all* ICMP is a bad idea. You can get by > > with just unreach. Add timex, echoreq and echorep for troubleshooting. > rc.firewall, phk@? has long recommended 3,4,11 as "essential" icmptypes. > Are there any negative security implications to including source quench?
See RFC 6633 (http://tools.ietf.org/html/rfc6633) and the literature it references, particularly RFC 5927 (http://tools.ietf.org/html/rfc5927). TL;DR: they were a bad idea to begin with, and nobody implements them anyway. DES -- Dag-Erling Smørgrav - [email protected] _______________________________________________ [email protected] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-security To unsubscribe, send any mail to "[email protected]"
