On Wed, 25 Apr 2007 20:19:42 +0000 (UTC) Tobias Weingartner <[EMAIL PROTECTED]> wrote:
> Chad M Stewart wrote: > > On Apr 25, 2007, at 11:05 AM, Allen Theobald wrote: > > > > > > pass in inet proto icmp all icmp-type $icmp_types keep state > > > > This can be used as a covert communication channel. Allowing > > internal IPs to send/receive ping is bad. > > Bull. Not allowing ICMP is just as bad. Worse actually, as you > are violating RFCs. Quit spreading this FUD. hi, actually, me thinks the same about allowing/denying ICMP as you, tobias. however, we recently had a CCIE/NSA certified blahblah guy in our company, tuning our, err, Cizcoooeee equipment. guess what he did -- he violated 'the RFCs'. unfortunately, i wasn't able to find them on the net. do you have them handy? i'm very curious about that :) tia, -- Timo Schoeler | http://riscworks.net/~tis | [EMAIL PROTECTED] RISCworks -- Perfection is a powerful message Ex-ISP | RISC afficinados | Networking, Security, BSD services GPG Key fingerprint = 76E0 BEAF 762A BD1B 383C F88C EBCF 6DDF D87F CDF0 You can fly away to the end of the world But where does it get you to? (Tennant/Lowe)
