Re: [swinog] Sunrise ICMP filtering ?

On Feb 1, 2007, at 2:45 AM, Pascal Gloor wrote:

...

A few customers complaining ... Sunrise filtering ICMP ? ...

...

You should think before filtering all this. Too much problems because of this.

Right. ermm...

What about other kind of ICMP ? do they filter any ICMP packet or just ICMP echo request/reply ? If they filter any ICMP packet they just break the rules, what about host unreachable ? MTU exceeded ? and all other kind of ICMP which are ESSENTIAL to run the Internet correctly !?!?

IMHO, this is not acceptable.

Perhaps they're doing this because of the recent Cisco ICMP vulnerabilities? Given that transit functions and even time-exceeded messages are still generated, one could argue that this is quite prudent?

-danny