In article <[EMAIL PROTECTED]>,
Anders K. Pedersen <[EMAIL PROTECTED]> wrote:
>Glynn Clements wrote:
>> Personally I suggest allowing the following ICMP types:
>>
>> 0 Echo Reply
>> 3 Destination Unreachable
>> 11 Time Exceeded
>> 12 Parameter Problem
>>
>> and dropping the rest (you must allow ICMP type 3).
>
>Why must type 3 be allowed?
>Wouldn't it make it harder to do portscans and similar things, if one drops all
>outgoing "Destination Unreachable" packets?
If you block Destination Unreachable, you also block all the type 3
subtypes:
/* Codes for UNREACH. */
#define ICMP_NET_UNREACH 0 /* Network Unreachable */
#define ICMP_HOST_UNREACH 1 /* Host Unreachable */
#define ICMP_PROT_UNREACH 2 /* Protocol Unreachable */
#define ICMP_PORT_UNREACH 3 /* Port Unreachable */
#define ICMP_FRAG_NEEDED 4 /* Fragmentation Needed/DF set */
#define ICMP_SR_FAILED 5 /* Source Route failed */
#define ICMP_NET_UNKNOWN 6
#define ICMP_HOST_UNKNOWN 7
#define ICMP_HOST_ISOLATED 8
#define ICMP_NET_ANO 9
#define ICMP_HOST_ANO 10
#define ICMP_NET_UNR_TOS 11
#define ICMP_HOST_UNR_TOS 12
#define ICMP_PKT_FILTERED 13 /* Packet filtered */
#define ICMP_PREC_VIOLATION 14 /* Precedence violation */
#define ICMP_PREC_CUTOFF 15 /* Precedence cut off */
#define NR_ICMP_UNREACH 15 /* instead of hardcoding immediate value
Especially ICMP_FRAG_NEEDED is essential for path mtu discovery - please
read http://www.worldgate.com/~marcs/mtu/ for more understanding.
Path MTU discovery is an integral part of the Internet. However, since
M$ NT sends packets with DF on by default, many clueless firewall
administrators block all ICMP, and a lot of layer4 load balancing switches
are broken wrt sending ICMP_FRAG_NEEDED back to the source (like
www.google.com!) nobody will notice one site more being severly broken.
The "September that never ended" effect has extended to most network
administrators as well, I guess. Oh well.
Mike.
-
To unsubscribe from this list: send the line "unsubscribe linux-net" in
the body of a message to [EMAIL PROTECTED]
