Hosting Provided By

Re: Compare pf with IPTables

From: Al Lipscomb <arl(at)q7.net>
Date: Sun Jan 05 2003 - 11:14:20 EST

Our network administrators block ICMP all over the place at my day job. The strut around and claim it is for "security". Fact is when a network problem crops up it takes hours to track them down and even longer for them to diagnose it without the basic tools that ICMP provide. Being able to ping a host is nice and helps find problems fast. ICMP host unreachable is also a much more meaningful answer than silence. Look up the different ICMP packets, what they mean and why you use them and many things will come clear.

We have yet to have a single "security" issue relating to ICMP. Denial of service attacks keep our network people pretty busy with no ICMP involved. All attacks have been against machines that could be found using DNS to locate their IP address. Hey there you go, get rid of DNS, ICMP and maybe ARP and you will have true security. Received on Sun Jan 5 11:17:11 2003

This message: [ Message body ]
Next message: MikeM: "Re: Compare pf with IPTables"
Previous message: James Morris: "Re: Compare pf with IPTables"
Maybe in reply to: Bjorn: "Compare pf with IPTables"
In reply to Jaime Lafleur-Vetter: "Re: Sockets in Kernel Processes"
Next in thread: MikeM: "Re: Compare pf with IPTables"
Reply: MikeM: "Re: Compare pf with IPTables"
Reply: Aaron Cheek: "Re: Compare pf with IPTables"

Contemporary messages sorted: [ By Date ] [ By Thread ] [ By Subject ] [ By Author ] [ By messages with attachments ]

This archive was generated by hypermail 2.1.8 : Wed Aug 23 2006 - 13:32:15 EDT