Conversation

Notices

1. Embed this notice
   tech (tech@unfufadoo.net)'s status on Monday, 31-Mar-2025 08:32:17 JST tech

   #tech #photos #heldesk #images #infosec #memes #cloud #sysadmin #funny

   • feld likes this.
   • Embed this notice
     feld (feld@friedcheese.us)'s status on Tuesday, 01-Apr-2025 11:26:08 JST feld

     in reply to

     • `Da Elf
     • I am Water
     @SlicerDicer @tech @elfin People who block all ICMP deserve to be fired for incompetence. You can filter out the dangerous ICMP types without breaking echo/echoreply (0 and 8)
   • Embed this notice
     I am Water (slicerdicer@friedcheese.us)'s status on Tuesday, 01-Apr-2025 11:26:09 JST I am Water

     in reply to

     • `Da Elf
     @tech @elfin Disable ping what do you do?
   • Embed this notice
     feld (feld@friedcheese.us)'s status on Tuesday, 01-Apr-2025 11:37:00 JST feld

     in reply to

     • `Da Elf
     • I am Water
     @SlicerDicer @tech @elfin If it's blocked completely you'll break PMTU which can cause network requests to hang / fail
   • Embed this notice
     I am Water (slicerdicer@friedcheese.us)'s status on Tuesday, 01-Apr-2025 11:37:01 JST I am Water

     in reply to

     • `Da Elf
     • feld
     @feld @tech @elfin I blocked it on my network lol
   • Embed this notice
     feld (feld@friedcheese.us)'s status on Tuesday, 01-Apr-2025 11:46:32 JST feld

     in reply to

     • `Da Elf
     • I am Water
     @SlicerDicer @elfin @tech also I'm wrong on the specific types, I get the names and numbers mixed up. I have them documented for pf and ipfw both v4 and v6, I'll send them.
     
     You need to be able to respond with a fragmentation needed message and it's not echoreply for that one, I think it's type 3 / destination unreachable
   • Embed this notice
     I am Water (slicerdicer@friedcheese.us)'s status on Tuesday, 01-Apr-2025 11:46:33 JST I am Water

     in reply to

     • `Da Elf
     • feld
     @feld @tech @elfin It’s not completely, just my external. I don’t want to see it in my logs.
   • Embed this notice
     feld (feld@friedcheese.us)'s status on Tuesday, 01-Apr-2025 11:55:37 JST feld

     in reply to

     • `Da Elf
     • feld
     • I am Water
     @SlicerDicer @elfin @tech
     
     ok for ICMP you want: 0,3,8,11
     
     You could block 0 and 8 so the normal ping doesn't work, but you really don't want to block 3 and 11 or when shit goes wrong the machine on the other end doesn't get the hint (packet too large, exceeds TTL)
   • Embed this notice
     feld (feld@friedcheese.us)'s status on Tuesday, 01-Apr-2025 11:59:32 JST feld

     in reply to

     • `Da Elf
     • feld
     • I am Water
     @SlicerDicer @elfin @tech for ICMP6 you really need:
     
     135 neighbrsol Neighbor solicitation
     136 neighbradv Neighbor advertisement
     
     because those are basically the IPV6 version of ARP
     
     You probably want:
     
     1 unreach Destination unreachable
     2 toobig Packet too big
     
     You can live without, but it's worth having
     
     128 echoreq Echo service request
     129 echorep Echo service reply
     
     and you should only have these on your own networks where you need them:
     
     133 routersol Router solicitation
     134 routeradv Router advertisement
     
     
     the rest should all be blocked