In article <E0wy8DZ-0002RT-00@cronus.ccti.net>, Eric Wieling <eric@cronus.ccti.net> wrote:
We recently implemented outbound filters for our network. It's rather draconion, but it's effectiveand we've had no complaints yet. We allow outbound TCP, UDP, GRE, and outbound ICMP 0/0 (echo request) with source addresses on our network That's all. It does not eliminate ping floods, but at least the source address will be traceable to us. (Yes, our whois information is up to date 8-). Granted, that means that we don't send out TTL exceeded (so people can't traceroute into us), we don't send out destination, host, or network unreachable, so if people try to access a host/port/network that does not exist, they have to wait and wait for their local TCP stack to time out. It is my belief that people should not be pinging, tracerouting, into our network and that people should not be trying to access hosts that don't exist.
So, if you filter out all ICMP messages, do you also filter out ICMP unreachables? If so, you're also filtering the ICMP unreach/fragmentation needed message. Which means that MTU discovery doesn't work over your network. Which in turn means that lots of TCP stacks will not be able to connect to your network... Just FYI Mike. -- | Miquel van Smoorenburg | | | miquels@cistron.nl | Owners of digital watches, your days are numbered. | | PGP fingerprint: FE 66 52 4F CD 59 A5 36 7F 39 8B 20 F1 D6 74 02 |