khatfield@... writes: > = > Please read the rest of the thread before criticizing. Let me clarify. Na=EFvely blocking ICMP isn't the only thing firewall admi= ns should avoid doing. I think that one should construct firewalls in such= a manner that for all prohibited classes of traffic, the firewall should r= eturn the correct destination-unreachable messages (TCP RST or ICMP UNREACH= ABLE) to the traffic source. For one, this makes the presence of a firewal= l less obvious to attackers, but more importantly, end users don't have to = wait for their connections to mysteriously time out when they do something = prohibited. Black holes and null routes have their place, such as in respo= nse to an active denial of service attack, but not in the primary traffic c= ontrol policy. -- = I FIGHT FOR THE USERS _______________________________________________ [email protected] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-security To unsubscribe, send any mail to "[email protected]"