Educause Security Discussion mailing list archives
Re: Preparing for Default Deny Firewall
From: Jeff Kell <jeff-kell () UTC EDU>
Date: Tue, 1 Feb 2005 13:58:35 -0500
Scholz, Greg wrote:
I am looking at the same situation. Does anyone have a recommendation for ICMP types/codes in general?
You may elect to be more restrictive, but essentially:
remark Secure ICMP (http://www.cymru.com/Documents/icmp-messages.html) remark Specifically block ICMP fragments deny icmp any any fragments remark permit inbound ping permit icmp any any echo remark permit inbound ping response permit icmp any any echo-reply remark permit Path MTU to function permit icmp any any packet-too-big remark permit flow control permit icmp any any source-quench remark permit time exceeded messages for traceroute and loops permit icmp any any time-exceeded remark And explicitly block all other ICMP packets deny icmp any any
Jeff ********** Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at http://www.educause.edu/groups/.
Current thread:
- Preparing for Default Deny Firewall Cary, Kim (Feb 01)
- <Possible follow-ups>
- Re: Preparing for Default Deny Firewall Steven Alexander (Feb 01)
- Re: Preparing for Default Deny Firewall Arturo Servin (Feb 01)
- Re: Preparing for Default Deny Firewall Scholz, Greg (Feb 01)
- Re: Preparing for Default Deny Firewall Brawner, David (Feb 01)
- Re: Preparing for Default Deny Firewall John Kristoff (Feb 01)
- Re: Preparing for Default Deny Firewall Yantis, Jonathan Lindsey (Feb 01)
- Re: Preparing for Default Deny Firewall Steven Alexander (Feb 01)
- Re: Preparing for Default Deny Firewall Jeff Kell (Feb 01)