[Freeswitch-users] ICMP... and MTU

Claus Andersen clan at wheel.dk
Wed Feb 19 19:22:30 MSK 2014


On Wed, 19 Feb 2014, Cesar Bermudez wrote:

> Sorry to ask, but ..

There are no stupid questions - only stupid answers.

> If you dont recommend to block the ping, what do you recommend?
> and what issue cause the icmp block?

You are most probably talking about ping and traceroute. But ICMP is a lot 
more than just that. The 3 types of ICMP you use for ping and traceroute 
are Echo Reply (type 0), Echo Request (type 8) and Time Exceeded (type 
11).

But there are many more such as Source Qunech and Destination unreachable.

The question you should ask yourself: Why am I blocking this and what do I 
want to achieve?

Many poeple are scared of ping of death but that has been patched many 
years ago and is not an issue as such. But if your thinking is that you 
would rather avoid any risk and can do without that very handy diagnostic 
tool then please do block for it. But that does still not mean that you 
should block for all ICMP.

ICMP is Internet Control Message Protocol. Some very important stuff 
sometimes happens via ICMP. Like any other traffic you need to understand 
why/why not you want to block it. Yes - there may be errors in the 
implementation which makes your host blow up (vulnerable like Ping of 
death) but on the other hand the where create for a purpose. If you 
naively close for everything you must expect breakage as well.

A good read is as usual wikipedia which shows you more uses for ICMP:
http://en.wikipedia.org/wiki/Internet_Control_Message_Protocol

Security is never absolute. It is a question of convenience, usability 
and the amount of risk. If you can accept no risk the Internet is not for 
you.

Kind Regards,
Claus Andersen



Join us at ClueCon 2013 Aug 6-8, 2013
More information about the FreeSWITCH-users mailing list