[time] icmp reachability?
Jeffrey Goldberg
jeffrey
Sun Mar 18 20:40:48 UTC 2007
On Mar 18, 2007, at 12:20 PM, Rob Janssen wrote:
> This made many block all ICMP packets, of course severely breaking
> their
> communications in the process.
> (usually without noticing it immediately)
I am guilty of this. I just took a default deny approach and applied
that to ICMP as well as TCP and UDP.
Because I failed to understand (and I still don't really get it) what
ICMP packets are for (other than echo), and because I didn't see an
immediate problems with the blocks, I just stuck with my default deny
policy for ICMP until this discussion.
So thanks to all how have participated in this discussion and helped
enlighten me.
If, as you say, ICMP is needed for smooth network operation, then a
default deny policy (which still makes sense) should specifically
open those up.
> Asides from that, it is indeed quite common to get "administratively
> blocked" ICMP messages when you run an NTP server.
> Those are just ignorant users. They have set up an NTP client but
> have
> not allowed incoming NTP in their firewall. They don't notice that
> their clock is not being synced.
Won't such people have a set up where they allow incoming packets
related to outgoing packets? Doesn't that work well enough for UDP?
Or is there more that I am failing to understand?
-j
--
Jeffrey Goldberg http://www.goldmark.org/jeff/
More information about the pool
mailing list