On Wed, 13 Feb 2013 09:28:00 +0100, Dag-Erling Smørgrav wrote:
> Ian Smith <[email protected]> writes:
> > Dag-Erling Smørgrav <[email protected]> writes:
> > > Slight correction: dropping *all* ICMP is a bad idea. You can get by
> > > with just unreach. Add timex, echoreq and echorep for troubleshooting.
> > rc.firewall, phk@? has long recommended 3,4,11 as "essential" icmptypes.
> > Are there any negative security implications to including source quench?
>
> See RFC 6633 (http://tools.ietf.org/html/rfc6633) and the literature it
> references, particularly RFC 5927 (http://tools.ietf.org/html/rfc5927).
> TL;DR: they were a bad idea to begin with, and nobody implements them
> anyway.
Fair enough, thanks for the refs, I'm just so out of date .. still
chewing on the second and I have a nice fresh icmp-parameters.txt
cheers, Ian
_______________________________________________
[email protected] mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-security
To unsubscribe, send any mail to "[email protected]"
