On 18-03-07 21:40, Jeffrey Goldberg wrote: > On Mar 18, 2007, at 12:20 PM, Rob Janssen wrote: > Because I failed to understand (and I still don't really get it) what > ICMP packets are for (other than echo), and because I didn't see an > immediate problems with the blocks, I just stuck with my default deny > policy for ICMP until this discussion.
There are (amongst others) several 'unreachable' return packets. Based on those, for example your web browser can give you feedback almost immediately. If you block those packages, your browser will notice a time-out, retry, etc. for several times. Finally it will give you some kind of 'unreachable' feedback, but it takes much longer. > If, as you say, ICMP is needed for smooth network operation, then a > default deny policy (which still makes sense) should specifically > open those up. >> Those are just ignorant users. They have set up an NTP client but >> have >> not allowed incoming NTP in their firewall. They don't notice that >> their clock is not being synced. > > Won't such people have a set up where they allow incoming packets > related to outgoing packets? Not all firewalls do this. Some are really just packet filters for which you have to set up rules in both directions. Arnold &:-) _______________________________________________ timekeepers mailing list [email protected] https://fortytwo.ch/mailman/cgi-bin/listinfo/timekeepers
