> >A related question is, should your firewall send back anything at all or
> >should you leave the sender wondering what happened to his nastygrams ?
>
> I don't think the filtering router should send back ICMP messages in
> response to packets dropped by filtering.
>
I disagree. I think that this should be configurable. If for some
reason you want to send icmp's on a per rule/port/service and per
interface basis, you should be able. In addition, you should be able to
set the type of unreachable message that you send.
> Second, your filters shouldn't get triggered that often anyway. They're
> only going to be triggered by things that violate your security policy, and
> there just shouldn't be many such connections. Letting these few attempted
> connections simply time out isn't going to cause that many more packets to
> flow as things retry before they time out. Every packet dropped by
> filtering here at GreatCircle.COM is logged; it amounts to a handful of
> packets per day (usually less than a dozen).
I have seen a couple of sites that have continued to send packets for
days, even though a firewall was silently dropping the packets. A
simple icmp host unreachable sent back stopped it.
As long as it is flexible and configurable, you should have the option
to send back icmps.
geoff
References:
|
|
