So now you have a *business* choice to make: is it more important to your business that you (a) be able to exchange mail with those folks, or (b) prevent hackers *who forge that particular IP address* from scanning your network? I know which way every boss I've ever worked for would decide.... David Gillett On 7 Jun 2001, at 13:23, Barry George wrote: > > Thanks to all for the replies so far. Here is a note from our Firewall > admin on one of the suggestions. Any comments? > > Thanks > Barry > > > >Sorry Barry, but I disagree with that statement. We need to block > >multiple icmp requests. Hackers can use it as a tool to scan other > >services on the network. By blocking them after 4 attempts. We stop > >them before they can discover more about the network. > > >MTU discovery on the internet is useless and bandwidth consuming. > >MTU discovery should only be used on an ethernet network to determine > >packet size on the network. > > > > >>Stop ICMP protocol is a bad idea on an IP network like internet. > >> Just block echo request, but not the whole ICMP..... > > > > - > [To unsubscribe, send mail to majordomo@lists.gnac.net with > "unsubscribe firewalls" in the body of the message.] > - [To unsubscribe, send mail to majordomo@lists.gnac.net with "unsubscribe firewalls" in the body of the message.]