[NTLUG:Discuss] SSH
Chris Cox
cjcox at acm.org
Tue Oct 14 17:23:46 CDT 2003
Eric Schnoebelen wrote:
> Chris Cox writes:
> - IMHO, disable ICMP ping(echo).
>
> This is a bad answer. Especially if you interpret it as
> disabling _all_ ICMP messages.
Just echo.. and this is SOP.
>
> You want to permit Path MTU discovery, which uses ICMP,
> and you want to make sure that ICMP replies (like host/network
> unreachable) go back out.
Shouldn't affect routing discovery (just echo).
>
> Doing otherwise causes your site to look like a black
> hole to the net, and will likely break applications and clients
> using your site.
Only makes your site a black hole to the common scanning
methodologies. Will only break apps that make very bad
assumptions.
More information about the Discuss
mailing list