Quote:
Originally Posted by mikester
I really hate it when Security experts say to disable ICMP too - ICMP is a requirement for a properly functioning IP network.
Without ICMP you can't negotiate things like MTU size properly, for example if a down stream router has a lower MTU size and the packets that are reaching it are larger than that MTU - without ICMP it cannot negotiate with the other routers or the host sending the data to change the packet size or to fragment the packets. You basically break the network at that point.
Lame.
|
They should fix the downstream routers
. Seriously, I'd venture that most large company's disable ICMP from passing through their firewalls based upon my experience in corporate america (connecting with lots of other "corporate networks"). I once even had a Security manager adamantly insist upon having DNS disabled on firewalls that connected to our DMZ many years ago...I assured him he would change his mind soon (after beating my head again against the wall), and quit arguing with someone who had no clue...