Re: (ASCEND) Suppressing ICMP errors

To: Michiel Boland <boland@diva.nl>
Subject: Re: (ASCEND) Suppressing ICMP errors
From: Neale Banks <neale@idesign.com.au>
Date: Fri, 26 Jun 1998 16:52:06 +1000 (EST)
Cc: ascend-users@bungi.com
In-Reply-To: <Pine.LNX.3.95.980625100356.22863A-100000@ns.diva.nl>
Sender: owner-ascend-users@max.bungi.com

On Thu, 25 Jun 1998, Michiel Boland wrote:

> Hi
> 
> I have an anti-spoof filter on all our dialup customers. However,
> any ICMP unreachables that get sent as a result of someone using
> a packet with a 'wrong' source address appear to be flung out
> onto the net rather than sent back along the interface from which
> the original packet was received.

I presume you are using basic filters, not Secure Access F/W?  You are
_rejecting_ the bogus packets, and implicitly generating a ICMP to the
source address (ie the bogus address)?  Yes, that will get flung out onto
the internet :-(

> Is there someone who has found a way to stop these bogus ICMP
> messages? Obviously I do not want to filter *all* ICMP from my
> max. 

The underlying problem is that you need to silently drop these packets,
not reject them.  AFAIK, that is only an option in SA F/W (ie not in the
basic filtering.  Feature request time? 

Regards,
Neale.

++ Ascend Users Mailing List ++
To unsubscribe:	send unsubscribe to ascend-users-request@bungi.com
To get FAQ'd:	<http://www.nealis.net/ascend/faq>

Follow-Ups:

Re: (ASCEND) Suppressing ICMP errors

From: Michiel Boland <boland@diva.nl>

References:

(ASCEND) Suppressing ICMP errors

From: Michiel Boland <boland@diva.nl>

Prev by Date: Re: (ASCEND) Loading 2.1.3 images individually gives bad CRC
Next by Date: Re: (ASCEND) IP Pool Leak NOT Fixed
Prev by thread: (ASCEND) Suppressing ICMP errors
Next by thread: Re: (ASCEND) Suppressing ICMP errors
Index(es):
- Main
- Thread