[ Date Index ][
Thread Index ]
[ <= Previous by date / thread ] [ Next by date / thread => ]
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Tuesday 25 February 2003 1:53 pm, David Batho wrote: > 3. IMCP checks - that no ones is pinging your machine. (deny ICMP packets) ohh dear, deny ICMP and cause heartache? First, read RFC1191, and familiarise yourself with pMTUd. The ammount of people who go by the name of "netowrk engineers" and think it's good to block ICMP really really need shooting, with a shotgun, from 2 metres away. This is part of the problem we're slowly seeing on the internet, thing are getting worse and worse as people try to make their networks more "secure", it's vreaking more than it's fixing. The number of people who don't know what they are doing, but claim to be "network engineers", or "network secuirty experts" and don't have a single clue about what happens in the TCP/IP stack is most scary. You realise that blocking ICMP breaks connectivity to a relativly large proportion of the internet, unless they have forced mss to a certian size, something which many providers who offer services through GRE are now haveing to do? (and in a way, breaking things, but not as badly). next time you go and type 'iptables -I INPUT/FORWARD -p icmp -j REJECT/DROP', (*especially* on a server) think again - you are breaking things, badly. instead, run off, and read rfc1191. my work life has all headaches because people do things they don't know about, and have no idea what breaks when they do it... ~ Theo - -- Theo Zourzouvillys <theo@xxxxxxxxxxxxxxxx> <http://theo.me.uk/> - --------------------------------------- /"\ ASCII Ribbon Campaign against HTML \ / email and proprietary format X attachments. / \ - --------------------------------------- -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.1 (GNU/Linux) iD8DBQE+W4M8448CrwpTn6YRAqmOAKDmd80s8MhPgwNgVsAIE45O7c0PFQCgiuk5 vSCtbTK2FPSp0HJOhL7aGV8= =mBW6 -----END PGP SIGNATURE----- -- The Mailing List for the Devon & Cornwall LUG Mail majordomo@xxxxxxxxxxxx with "unsubscribe list" in the message body to unsubscribe.