Educause Security Discussion mailing list archives

Re: Preparing for Default Deny Firewall

From: Jeff Kell <jeff-kell () UTC EDU>
Date: Tue, 1 Feb 2005 13:58:35 -0500

Scholz, Greg wrote:

I am looking at the same situation.  Does anyone have a recommendation
for ICMP types/codes in general?


You may elect to be more restrictive, but essentially:

   remark Secure ICMP (http://www.cymru.com/Documents/icmp-messages.html)
   remark Specifically block ICMP fragments
   deny   icmp any any fragments
   remark  permit inbound ping
   permit icmp any any echo
   remark  permit inbound ping response
   permit icmp any any echo-reply
   remark  permit Path MTU to function
   permit icmp any any packet-too-big
   remark  permit flow control
   permit icmp any any source-quench
   remark  permit time exceeded messages for traceroute and loops
   permit icmp any any time-exceeded
   remark And explicitly block all other ICMP packets
   deny   icmp any any


Jeff

**********
Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at 
http://www.educause.edu/groups/.

Current thread:

Preparing for Default Deny Firewall Cary, Kim (Feb 01)
- <Possible follow-ups>
- Re: Preparing for Default Deny Firewall Steven Alexander (Feb 01)
- Re: Preparing for Default Deny Firewall Arturo Servin (Feb 01)
- Re: Preparing for Default Deny Firewall Scholz, Greg (Feb 01)
- Re: Preparing for Default Deny Firewall Brawner, David (Feb 01)
- Re: Preparing for Default Deny Firewall John Kristoff (Feb 01)
- Re: Preparing for Default Deny Firewall Yantis, Jonathan Lindsey (Feb 01)
- Re: Preparing for Default Deny Firewall Steven Alexander (Feb 01)
- Re: Preparing for Default Deny Firewall Jeff Kell (Feb 01)