Do not block unreachable or you will break PMTUD. http://lost-carrier.org/why-disabling-icmp-unreachables-is-a-bad-thing/
These ones are okay to block for IPv4: icmp-type info-request icmp-type info-reply icmp-type mask-request icmp-type mask-reply icmp-type redirect icmp-type router-advertisement icmp-type router-solicit icmp-type timestamp icmp-type timestamp-reply On Wed, Apr 09, 2014 at 05:19:54AM -0700, Harri Makela wrote: > Hi Guys > > Do you have any recommendations to block certain ICMP packets on internet > facing devices as part of security compliance i.e. > > icmp-type unreachable > icmp-type mask-reply > > Few devices are J6350 > > admin@J6350# show security > ssh-known-hosts { > host x.x.x.x { > rsa-key xx > } > host x.x.x.x { > rsa-key xx > } > } > alg { > dns disable; > ftp disable; > h323 disable; > mgcp disable; > msrpc disable; > sunrpc disable; > real disable; > rsh disable; > rtsp disable; > sccp disable; > sip disable; > sql disable; > talk disable; > tftp disable; > pptp disable; > } > forwarding-options { > family { > inet6 { > mode packet-based; > } > mpls { > mode packet-based; > } > } > } > flow { > allow-dns-reply; > tcp-session { > no-syn-check; > no-syn-check-in-tunnel; > no-sequence-check; > } > } > > http://www.juniper.net/techpubs/software/junos-es/junos-es92/junos-es-swconfig-security/understanding-ip-address-sweeps.html > > Others are MX80 > > admin@MX80# show security > ssh-known-hosts { > host x.x.x.x { > rsa-key xx > } > host x.x.x.x { > rsa-key xx > } > } > > Looking for a brief document as per JUNOS recommendation really. Any advice > will be highly appreciated. > > Thanks > HM _______________________________________________ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp