Jeffrey Goldberg wrote:
If, as you say, ICMP is needed for smooth network operation, then a
default deny policy (which still makes sense) should specifically
open those up.
Yes, you need to pass through at least the various types of
"unreachable" messages
or else you get strange behaviour varying from long time-outs when sites
are down to
certain sites that are not reachable to you while they are perfectly
reachable for others.
(due to issues with determination of MTU)
Asides from that, it is indeed quite common to get "administratively
blocked" ICMP messages when you run an NTP server.
Those are just ignorant users. They have set up an NTP client but
have
not allowed incoming NTP in their firewall. They don't notice that
their clock is not being synced.
Won't such people have a set up where they allow incoming packets
related to outgoing packets? Doesn't that work well enough for UDP?
Or is there more that I am failing to understand?
Well there may be all kinds of reasons for problems, but notice in my
previous mail
that I needed to trace only for 16 seconds to get the first instance of
this problem.
So it is quite common. Even though it should be detected by the
system's owner.
Rob
_______________________________________________
timekeepers mailing list
[email protected]
https://fortytwo.ch/mailman/cgi-bin/listinfo/timekeepers
