Valdis.Kletnieks@vt.edu wrote:
On Sun, 28 Sep 2008 17:43:00 CDT, "Laurence F. Sheldon, Jr." said:
They apparently block ICMP as current best practice seems to require.
Ahem. Who said "block ICMP' is BCP? Yes, there's some ICMP things that you probably *should* block if they're to/from untrusted sources, but in particular, host/net unreachable ICMP shouldn't be blocked, and the next site I catch blocking 'Frag Needed' I'm gonna get on a plane and re-educate them with a clue-by-four regarding what they're doing to PMTUD.
I've been inactive in the racket for a while but personally think blocking any ICMP from or to people you want to talk to is a mistake, but last I heard just about everybody was telling me to block _some_ ICMP or other for some mythical reason o other. And the more expensive consultants (considering TCO) and most of the "firewall" experts were telling me to block them all. -- Requiescas in pace o email Two identifying characteristics of System Administrators: Ex turpi causa non oritur actio Infallibility, and the ability to learn from their mistakes. Eppure si rinfresca ICBM Targeting Information: http://tinyurl.com/4sqczs