Firewall Wizards mailing list archives

Re: ICMP destination unreachable messages

From: "Steven M. Bellovin" <smb () research att com>
Date: Wed, 16 Apr 2003 17:14:55 -0400

In message <c643615a7427fb3b0dfc9eef1ff89c5f3e9c52d1 () watchguard com>, "Max Ende
rs" writes:

Hello,

I'm curious to know how firewalls handle duplicate ICMP destination unreachabl
e messages. How should replayed packets be denied? It seems like the two best 
options are rate limiting and inspecting the IPID. Any information is apprecia
ted.


How duplicate are they?  Remember that you have to let in the 
"fragmentation needed" messages, or you'll end up with black holes.

                --Steve Bellovin, http://www.research.att.com/~smb (me)
                http://www.wilyhacker.com (2nd edition of "Firewalls" book)


_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards

Current thread:

ICMP destination unreachable messages Max Enders (Apr 15)
- Re: ICMP destination unreachable messages Steven M. Bellovin (Apr 16)
- Re: ICMP destination unreachable messages Chunduru Rama Krishna Prasad (Apr 17)
- <Possible follow-ups>
- RE: ICMP destination unreachable messages Max Enders (Apr 16)