Re: [SQU] ICMP

Bert,

Thanks for your suggestion. I will more investigate the best about this
issue.

Thx

Best Regards,

Awie
----- Original Message -----
From: "Bert Driehuis" <bert_driehuis@nl.compuware.com>
To: <squid-users@ircache.net>
Sent: Sunday, March 04, 2001 11:31 PM
Subject: Re: [SQU] ICMP

> On Sun, 4 Mar 2001, Awie wrote:
>
> > So, it means my Squid will be OK if I disable ICMP echo into my Linux.
Am I
> > right?
> >
> > The purpose to disable ICMP echo is security reason.
>
> The idea that UNIX becomes more secure if you disable ICMP is
> somewhat misguided. Your UNIX should already be protected against things
> like reponding to pinging the broadcast address and thereby amplifying a
> smurf attack. Disabling regular ICMP ECHO and ECHOREQUEST does not make
> your system or network more secure.
>
> ICMP is also used for other housekeeping: you do not want to disable the
> ICMP_UNREACH code if you want your Squid to notice that a site is
> down quickly.
>
> Look through the ICMP codes before deciding which to block. I would
> definitely block ICMP_REDIRECT_* and ICMP_ROUTER*.
>
> I would definitely not block ICMP_ECHO*, ICMP_UNREACH, ICMP_SOURCEQUENCH
> and ICMP_TIMXCEED.
>
> Don't forget that you might need the ICMP ECHO one day yourself, if you
> need to test your systems reachability from a remote location.
>
> Your milage may vary.
>
> Cheers,
>
> -- Bert
> --
> Bert Driehuis -- driehuis@playbeing.org -- +31-20-3116119
> If the only tool you've got is an axe, every problem looks like fun!
>
> --
> To unsubscribe, see http://www.squid-cache.org/mailing-lists.html
>

--
To unsubscribe, see http://www.squid-cache.org/mailing-lists.html