[MLB-WIRELESS] Firewall rule?

Craig Sanders cas at taz.net.au
Wed Aug 16 08:09:35 EST 2006


On Tue, Aug 15, 2006 at 07:04:59PM +1000, Jesse McNelis wrote:
> > Now what I need to know, is it quite ok to deny all requests for
> > the ICMP packet range? Will it harm any other services that I have
> > running?
>
> Generally it's not a problem. Just remember that you've done it. The
> most frustrating thing is trying to get two computers to talk over a
> wireless networking. Using ping to test the connection and not getting
> replies and not being able to work out why.

wrong. it's more than just frustrating, blocking all ICMP packets is
brain-damaged.

it breaks, amongst other things, MTU path discovery (which requires
passage of ICMP Fragmentation Required packets). common symptom of this
is to see small packets (containing e.g. tiny emails, tiny web pages,
anything that fits entirely in a few hundred bytes) working OK but
timeout errors on larger packets (e.g. normal web traffic, ftp, email,
whatever).

for further details, see:

http://www.freelabs.com/~whitis/isp_mistakes.html

(this is excellent reading for anyone putting machines/routers/firewalls
on the internet, not just ISPs. full of very useful practical advice).

and

http://www.burgettsys.com/stories/56239/



blocking ICMP "echo" and ICMP "echo reply" (i.e. ping and ping response)
packets only is relatively harmless but it doesn't actually gain you
anything. if you're trying to block a ping flood then there's no point
in doing it on YOUR router - by the time it gets to your router, it has
already used up your bandwidth.



craig

-- 
craig sanders <cas at taz.net.au>           (part time cyborg)



More information about the Melbwireless mailing list