> To all from Doug Karl.....
> 2) New ICMP filters. Some examples are the ability to "ping" out of the
> internal network but not in. One can argue that if you stop incoming
> "pings" at the boarder then some scanners can be slowed down. Also
> incoming ICMP Redirects can be blocked from entering the network. This
> will protect against ICMP bombs.
Blocking redirects doesn't stop ICMP `bombs'. This term is used to describe
the behaviour of ICMP unreachables. But I assume it is general enough to
allow this too.