-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Alan Brown schrieb:
> On Sat, 7 Jun 2008, Christian Nolte wrote:
> 
>>>> Strato is not filtering any ICMP traffic on this machine.
>>> Yes, but what about on their border routers?
>>>
>> I have asked them about ICMP filtering and they said that they are not
>> doing any kind of ICMP filtering. I did not, however, ask them about the
>> border routers. I will do that on monday.
>>
>> Let's say they are doing ICMP filtering. What implication would that
>> have on my bacula configuration? Would that mean that it is impossible
>> to use bacula in such a scenario?
> 
> ICMP is a traffic control protocol. The problem with blanket ICMP
> filtering is that it breaks path MTU discovery algorithms and other
> control mechanisms aimed at throttling congested networks.
> 
> If they are blocking all ICMP at the border router than you can solve the
> problem on Linux boxes with the following commands at BOTH ends
> 
> echo 1 > /proc/sys/net/ipv4/ip_no_pmtu_disc
> 
> Note that this will mess up connections to systems which do use path MTU
> discovery, by forcing the use of lowest MTU - this generates a LOT more
> packet overhead.
> 
> 
> This is my observation on ICMP issues. Feel free to quote.
> 
> 
> ICMP filtering is often attempted by inexperienced/naive admins in an
> effort to mitigate DoS attacks. Unfotunately if done incorrectly, such
> filtering can make things significantly WORSE, as ICMP is the traffic
> control protocol for the Internet.
> 
> Bear in mind that blocking inbound traffic as a DoS control measure is not
> effective - the traffic is already saturating your link. Traffic
> throttling must be performed BEFORE it arrives at your border routers.
> 
> If ICMP filtering is required, then consider using the following pointers.
> 
> 1: Preventing participation in "smurf" attacks:
> 
>     Filter ALL traffic to BROADCAST addresses
>     Ensure all systems are configured to NOT respond to ICMP pings on
> broadcast addresses
> 
> 
> 2: Prevention of general ICMP attacks on individual machines:
> 
>   Configure ICMP throttling. This will pass ICMP, but rate limit traffic
> if it exceeds preset levels. All Cisco routers (and most other brands) are
> capable of rate limiting ICMP.
> 
> 3: Security concerns
> 
>   If filtering attempts at network discovery, then consider only
> filtering ICMP ping - but bear in mind there are at least 40 other ways of
> mapping internal networks without using ICMP. If you really want to
> prevent discovery of internal topologies then proper firewalling
> techniques are in order - for both in and outbound traffic - AND make sure
> you are not leaking details via DNS or other means.
> 

Thanks, Alan for this detailed information. I have tried what you've
suggested on both systems, but unfortunately it had no effect. Like I
have already posted in the other mail the compression seems to be the
problem. Could this nevertheless be related to these ICMP problems?

- --
For more than 4 generations the IT Professionals were the guardians
of quality and stability in software. Before the dark times.
Before Microsoft...

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org

iD8DBQFITjHoCNjA0nfhW7wRAowvAJ4jvp+L2LbGNGcFAi5Pp/sNLmosJwCg/BmA
qJ0TQ6CGLu52WgaRrdbhOJA=
=Lcme
-----END PGP SIGNATURE-----

-------------------------------------------------------------------------
Check out the new SourceForge.net Marketplace.
It's the best place to buy or sell services for
just about anything Open Source.
http://sourceforge.net/services/buy/index.php
_______________________________________________
Bacula-users mailing list
Bacula-users AT lists.sourceforge DOT net
https://lists.sourceforge.net/lists/listinfo/bacula-users