>How could blocking all ICMP cause a problem? I have worked with two rather
>large networks that blocked all ICMP at the router level. Were we just lucky
>not to have any problems?
I guess. That, or you didn't need the services that you ended up breaking.
If you don't accept ICMP unreachables, traceroute won't work. For other
standard
ICMP unreachable stuff, you'll eventually time out instead of getting immediate
notificiation.
You'll also break MTU path discovery, which will prevent you from communicating
with a number of sites. One that I've encountered of that sort that is popular
is Hotmail. I'm only aware of Solaris machines having this on by default.
These ICMP messages are particularly ugly, too, since they can legitmately come
from any router between you and the host you're talking to, so there's no
way to predict what IP address they'll come from; you have to let 'em all in.
Ryan
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 13:57:58 PDT