2013/10/11 Claudio Jeker <cje...@diehard.n-r-g.com>: > On Fri, Oct 11, 2013 at 08:44:36AM +0600, ???? ??????? wrote: >> 2013/10/10 Philip Guenther <guent...@gmail.com>: >> > On Thu, Oct 10, 2013 at 4:30 AM, ???? ??????? <chipits...@gmail.com> wrote: >> >> I use ntp already. >> > >> > So everyone can predict what your machine would have sent in response >> > to an ICMP timestamp query, meaning that turning it off doesn't hide >> > anything. >> > >> > >> >> I am about to switch icmp timestamps off (security people are afraid >> >> of that setting), >> > >> > Cargo cult security. >> >> it is known behavior of security people. >> >> > >> > >> >> just curious what was the purpose of it. >> > >> > Oddly enough, the RFC that defines it (RFC792) has a reference about that. >> >> by "purpose" I mean common use scenarios, like >> >> "we enable ssh by default, because it is used in routine >> administration and automation tasks, not because of RFC" >> >> "we enable icmp destination unreachable, because it is used commonly >> in PMTU mechanisms, not because it is mentioned in some RFC" >> >> or you enable everything found in RFC ? you must be odd if so. I am >> not that odd. >> > > The better question is why block it? What is the attack vector? > You start with ICMP timestamps, next you block ICMP echo then all of ICMP > and by that break the internet. I waste way to much time with situations > where I can't debug network issues because people block important internet > control messages. So if there is not a well known threat (e.g. source > routing or the fameous IPv6 rtr-0 header) it should not be disbale just > for a bit of a warm fuzzy feeling.
"icmp dest unreach, frag required" (3/4) is very important, I'm not going to block it. kinda fed up with poorly configured networks as well. "icmp echo request/reply", i.e. ping/pong is also important, when people do not see ping responce, they beleive host is down. I'm also not going to block it. actually, I'm not going to block icmp at all, I was curious why net.inet.icmp.tstamprepl=1 by default. > > -- > :wq Claudio
