On Wed, 30 Jul 1997, Systems Engineer wrote:
Well ever since this but was introduced to the outside world, I have since modified my present Firewall (ipfwadm v2.3.0) to accomodate.
type prot source destination ports deny icmp 0.0.0.0 0.0.0.255 any deny icmp 0.0.0.255 0.0.0.0 any
My rule is: deny icmp 0.0.0.0 0.0.0.0 any With perhaps specific permits above that for devices that I find have a legitimate need for ICMP (be it unreachables, or echo/echo reply). I was wondering more if there were a good reason, other than for dial-up users who may need connectivity checks, to allow any ICMP in, or ICMP to say anything more than a terminal server's address range and certain hosts. Hence my prior discussion on ping-mapping netblocks, and its lack of applicability to the number of hosts on my network. Paul ------------------------------------------------------------------------- Paul D. Robertson gatekeeper@gannett.com