Actually, any halfway decent firewall allows you to permit certain ICMP type codes while rejecting others. Not a perfect solution, but, for the most part, there aren't a lot of fragmentation-needed exploits running around. (In fact, I'm hard pressed to imagine how a Frag needed packet for an invalid session could do much of anything). Owen --On Wednesday, December 3, 2003 5:12 PM -0500 Sean Donelan <sean@donelan.com> wrote:
You could drop ICMP packets at your firewall if the firewalls properly implemented stateful inspection of ICMP packets. The problem is few firewalls include ICMP responses in their statefull analysis. So you are left with two bad choices, permit "all" ICMP packets or deny "all" ICMP packets.
-- If it wasn't crypto-signed, it probably didn't come from me.