Search the FAQ Archives

3 - A - B - C - D - E - F - G - H - I - J - K - L - M
N - O - P - Q - R - S - T - U - V - W - X - Y - Z
faqs.org - Internet FAQ Archives

comp.security.unix and comp.security.misc frequently asked questions
Section - Should I block all ICMP at my firewall/router?

( Single Page )
[ Usenet FAQs | Web FAQs | Documents | RFC Index | Cities ]


Top Document: comp.security.unix and comp.security.misc frequently asked questions
Previous Document: I can't get .rhosts/.shosts to work with ssh.
Next Document: How do I prevent my machine from announcing OS version, daemon version, etc in the banner message?
See reader questions & answers on this topic! - Help others by sharing your knowledge
No.  You need to allow the "can't fragment" message through or you will lose
connectivity to some number of sites with wacky packet sizes on their local
nets (notably token ring).  See http://www.worldgate.com/~marcs/mtu/

Less crucially but still somewhat important, if you block the "destination
unreachable" message then you'll get timeouts, after a long wait, in some
cases when you could have received immediate "no route to host" messages.

But blocking some of the rest might not be a bad idea, especially "redirect".

User Contributions:

Comment about this article, ask questions, or add new information about this topic:

CAPTCHA