On Wed, 25 Apr 2007 20:19:42 +0000 (UTC)
Tobias Weingartner <weingart@cs.ualberta.ca> wrote:

quoted text
> Chad M Stewart wrote:
> >  On Apr 25, 2007, at 11:05 AM, Allen Theobald wrote:
> > >
> > > pass in inet proto icmp all icmp-type $icmp_types keep state
> > 
> >  This can be used as a covert communication channel.  Allowing  
> >  internal IPs to send/receive ping is bad.
> 
> Bull.  Not allowing ICMP is just as bad.  Worse actually, as you
> are violating RFCs.  Quit spreading this FUD.

hi,

actually, me thinks the same about allowing/denying ICMP as you,
tobias. however, we recently had a CCIE/NSA certified blahblah guy in
our company, tuning our, err, Cizcoooeee equipment.

guess what he did -- he violated 'the RFCs'.

unfortunately, i wasn't able to find them on the net. do you have them
handy? i'm very curious about that :)

tia,

-- 
Timo Schoeler | http://riscworks.net/~tis | timo.schoeler@riscworks.net
RISCworks -- Perfection is a powerful message
Ex-ISP | RISC afficinados | Networking, Security, BSD services
GPG Key fingerprint = 76E0 BEAF 762A BD1B 383C  F88C EBCF 6DDF D87F CDF0

You can fly away to the end of the world
But where does it get you to? (Tennant/Lowe)