[Courses] [Security] Firewall theory -- general
coldfire
rolick571 at duq.edu
Wed Mar 13 15:02:14 EST 2002
> One thing we might want to consider is ICMP. Do we want people
> to be able to ping us? To traceroute to our servers? We should make
> sure we don't break Path MTU discovery; that causes connection problems.
i'll mention now just for the sake of example .. on my very strict
firewall script, i only accept three types of ICMP messages. i currently
accept ping replies, host unreachables, and network unreachables.
accepting ping replies is important if i would like to ping someone and
see the reply. this doesn't mean that anyone is allowed to ping me. the
other two are very important for the operation of TCP. we can get into
that later :)
coldie
More information about the Courses
mailing list