On Mon, Mar 4, 2019 at 10:02 AM Mark Tinka <mark.tinka@seacom.mu> wrote:
Can we make a short rule that says: For ICMP, *ALLOW* *ALL* unless you do have a very specific and motivated reason to block some types. I would even go as far as "allow all icmp from any to any" (and if possible as the first firewall rule), but I do understand that may make some people have hives.
Not to be the wet blanket, but we've be crying about this since before I knew what CLI meant, and it either didn't work or has gotten even worse. That is how we ended up with all manner of hacks to work around failure to reliably deliver PTB messages.
Not just ICMP but everything. We've designed these nice extendible protocols, but we've configured network so that we can't extend them. Like why is QUIC riding on UDP, instead of having its own L4 protocol number. Because of HTTP/3 majority of Internet traffic will be UDP, and due to its reflection potential in other applications that is not obvious net win. We should just retire UDP with status of 'trusted network only L4' and use something like QUIC for all untrusted L4 applications, where we've thought about issues like reflection. -- ++ytti