On Tue, 30 Jul 2002, Vladimir I. wrote: > [EMAIL PROTECTED] wrote about "Re: [leaf-user] traceroute through Bering >firewall": > > > >Why, is there a specific danger to allowing ICMP packets from your internal > > > > >network to the firewall box? > > > > > > There are some hacks based on ICMP like the icmp redirect message. > > So is there a specific danger to allow this from your internal network? > > I don't know depends on how much you trust the people on your internal network > > I suppose. > > Be careful when you're blocking ICMP. It breaks Path MTU > discovery. >
The assertion in an earlier post that Bering blocks all ICMP except type 8 was FUD. By default, Shorewall still allows a sane set of ICMP packet types to pass when the policy is DROP or REJECT. -Tom -- Tom Eastep \ Shorewall - iptables made easy AIM: tmeastep \ http://www.shorewall.net ICQ: #60745924 \ [EMAIL PROTECTED] ------------------------------------------------------- This sf.net email is sponsored by: Dice - The leading online job board for high-tech professionals. Search and apply for tech jobs today! http://seeker.dice.com/seeker.epl?rel_code=31 ------------------------------------------------------------------------ leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
