so then firewall totally helpless to DoS attack? that sounds really bad there must be some way around this such as all packets are encrypted to u and are ignored by default On Thu, 7 Jun 2001, patrick kerry wrote: > There is no mechanism to stop a DOS attack on the fire > box. Actually on most firewalls a true DOS attack is > impossible to stop. Have your Firewall admin allow > the ICMP packets inbound from only that mail server > (host). I doubt if your ISP will launch a DOS attack > against you, even if they did you would be helpless > against it. > --- Barry George <bgeorge@wabang.com> wrote: > > Hi All, > > > > We have a Firebox II setup stopping most of what we > > don't want. > > Everything has been running nicely, then our city > > run ISP installed a > > new mail server. We found that mail from its domain > > was being slowed > > down or blocked. On inspection to turns out that our > > firewall was being > > hit constantly my there mail server destined for our > > mail server. Seems > > they are sending ICMP packets for PMTU discovery, so > > the Firebox sees > > these ICMP packets as a possible DoS attack and > > locks out the > > domain.Seems the frequency has increased to several > > packets per second > > at worst. > > The ISP says they are just following standard > > RFC1191 protocols, but > > something has to have changed as we haven't had this > > problem before. > > > > If we let these through to our mail server are we > > opening ourselves up > > to attack? Sorry I don't directly configure the > > Firebox myself so I'm > > not sure what config. capabilities it has. I'd > > appreciate any discussion > > on this. > > > > Barry > > > > > __________________________________________________ > Do You Yahoo!? > Get personalized email addresses from Yahoo! Mail - only $35 > a year! http://personal.mail.yahoo.com/ > - > [To unsubscribe, send mail to majordomo@lists.gnac.net with > "unsubscribe firewalls" in the body of the message.] > uram@cmu.edu "Blessed are those who have not seen and yet have faith." - John 20:29 - [To unsubscribe, send mail to majordomo@lists.gnac.net with "unsubscribe firewalls" in the body of the message.]