[lug] making ping not respond

dan radom dan at radom.org
Tue Feb 12 08:21:39 MST 2002 

I block all incoming ICMP, and haven't had *any* problems with my network.  There are several ICMP datagram types, and blocking new incoming echo requests shouldn't cause problems.  The datagram types are listed below...Another thing I might mention is that the maximum MTU with PPPoX is 1492.


dan

ICMP datagram types
Type Number 	iptables mnemonic 		Type description
0		echo-reply 			Echo Reply
3 		destination-unreachable 	Destination Unreachable
4 		source-quench 			Source Quench
5 		redirect 			Redirect
8 		echo-request 			Echo Request
11 		time-exceeded 			Time Exceeded
12 		parameter-problem 		Parameter Problem
13 		timestamp-request 		Timestamp request
14 		timestamp-reply 		Timestamp reply
15 		none 				Information Request
16		none 				Information Reply
17 		address-mask-request 		Address Mask Request
18 		address-mask-reply 		Address Mask Reply




* Chip Atkinson (chip at rmpg.org) wrote:
> To chime in, I also read that it can affect email as well.  Small messages
> can get through as can telnet tests since the packets are small, but
> larger messages get dropped.  The symptom is inconsistent network
> throughput as opposed to just blocking traffic like you'd see if you made
> your firewall rules incorrectly.
> 
> Chip
> 
> On Tue, 12 Feb 2002 rm at fabula.de wrote:
> 
> > On Sat, Feb 09, 2002 at 10:01:27AM -0700, Brad Doctor wrote:
> > >
> > >
> > > [...]
> > >
> > > However, it will disable ICMP for all interfaces...
> > >
> > > -brad
> >
> > Probalby not a good idea. Some ICMP messages are actually very
> > usefull. Yuour friendly Linux kernel uses ICMP all the time to
> > discover the MTU (maximum transfer unit) to a given host.
> > One of my customers had strange network problems because of an
> > intermediate GRE tunnel that filters ICMP packets. He was connected
> > with a DSL line that has an MTU of 1492 which his kernel did know,
> > so the packets send out where never where bigger than this. Un-
> > fortunately some (stupid) Webserver restponded with 1500 sized
> > packets and a 'don't-fragment' bit set. Since the tunnel filtered
> > out ICMP packets the responding webserver would never receive the
> > 'packets are too big' ICMP messages -- the result: some webpages
> > would just not show up ... :-(
> >
> > ICMP is good, just be carefull which ones you use.

More information about the LUG mailing list