[c-nsp] ICMP Filtering on firewall
C. Jon Larsen
jlarsen at richweb.com
Tue Sep 11 08:16:43 EDT 2007
On Tue, 11 Sep 2007, varaillon wrote:
> Hi,
>
> We are filtering and rate limiting icmp traffic on our border router to let
> in&out:
>
> Echo
> Echo-reply
> Unreachable
> Time-exceeded
I allow:
echo reply
echo request
Inbound can't fragment
Inbound Sourch quench
ttl exceeded
general parameter problem
That means types 0,3,4,8,11,12
To the best of my knowledge restricting these types can break your
network though I am not sure about Inbound Sourch quench (4).
You really need to allow Inbound can't fragment (3) or else you will have
path mtu troubleshooting headaches.
-jon
More information about the cisco-nsp
mailing list