-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 That is kind of the opposite way to look at it... Block ALL ICMP and then allow: echo reply source quench destination unreachable (and time exceeded if you use traceroute a lot) This just let's a response come back when you ping a host, lets routers tell you you are sending too much traffic and that your destination is unreachable, and the Time Exceeded I left open to get responses when doing a traceroute. Carric Dooley Network Security Consultant "A little inaccuracy sometimes saves a ton of explanation. " - - H. H. Munro (Saki) (1870-1916) - ----- Original Message ----- From: <wwebbat_private> To: <firewall-wizardsat_private> Sent: Tuesday, January 11, 2000 7:18 PM Subject: Blocking ICMP with ipchains > I've heard that it is not wise to block all ICMP operations. Such > being the case, which of these ICMP operations are safe to block > without causing serious problems: > > echo-reply (pong) > destination-unreachable > network-unreachable > host-unreachable > protocol-unreachable > port-unreachable > fragmentation-needed > source-route-failed > network-unknown > host-unknown > network-prohibited > host-prohibited > TOS-network-unreachable > TOS-host-unreachable > communication-prohibited > host-precedence-violation > precedence-cutoff > source-quench > redirect > network-redirect > host-redirect > TOS-network-redirect > TOS-host-redirect > echo-request (ping) > router-advertisement > router-solicitation > time-exceeded (ttl-exceeded) > ttl-zero-during-transit > ttl-zero-during-reassembly > parameter-problem > ip-header-bad > required-option-missing > timestamp-request > timestamp-reply > address-mask-request > address-mask-reply > > Thanks for any assistance. > -----BEGIN PGP SIGNATURE----- Version: PGPfreeware 6.5.1 for non-commercial use <http://www.pgp.com> iQA/AwUBOH9WheuEoPqp8SMeEQJO2QCgj7yC219XFbuUBGuWbQp1E7hX8ywAoMsW UzFROSC1kouTn7ca8+wHQnCH =BU8q -----END PGP SIGNATURE-----
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 13:57:41 PDT