[Freeswitch-users] ICMP... and MTU
Claus Andersen
clan at wheel.dk
Wed Feb 19 19:22:30 MSK 2014
On Wed, 19 Feb 2014, Cesar Bermudez wrote:
> Sorry to ask, but ..
There are no stupid questions - only stupid answers.
> If you dont recommend to block the ping, what do you recommend?
> and what issue cause the icmp block?
You are most probably talking about ping and traceroute. But ICMP is a lot
more than just that. The 3 types of ICMP you use for ping and traceroute
are Echo Reply (type 0), Echo Request (type 8) and Time Exceeded (type
11).
But there are many more such as Source Qunech and Destination unreachable.
The question you should ask yourself: Why am I blocking this and what do I
want to achieve?
Many poeple are scared of ping of death but that has been patched many
years ago and is not an issue as such. But if your thinking is that you
would rather avoid any risk and can do without that very handy diagnostic
tool then please do block for it. But that does still not mean that you
should block for all ICMP.
ICMP is Internet Control Message Protocol. Some very important stuff
sometimes happens via ICMP. Like any other traffic you need to understand
why/why not you want to block it. Yes - there may be errors in the
implementation which makes your host blow up (vulnerable like Ping of
death) but on the other hand the where create for a purpose. If you
naively close for everything you must expect breakage as well.
A good read is as usual wikipedia which shows you more uses for ICMP:
http://en.wikipedia.org/wiki/Internet_Control_Message_Protocol
Security is never absolute. It is a question of convenience, usability
and the amount of risk. If you can accept no risk the Internet is not for
you.
Kind Regards,
Claus Andersen
Join us at ClueCon 2013 Aug 6-8, 2013
More information about the FreeSWITCH-users
mailing list