Firewall Wizards mailing list archives
Re: ICMP Packets.
From: Bennett Todd <bet () rahul net>
Date: Thu, 4 Jun 1998 05:56:48 -0700
1998-06-03-16:20:28 Perry E. Metzger:
I'm a firewall fascist -- I build the things to permit only those things I *know* to be needed, but ICMP is on that list. It makes sense to block perhaps certain ICMP messages, but not *all* ICMP.
Does it make more sense to block certain ICMP messages, or to permit certain ones? From what I've heard so far, you want to permit incoming ``whatever unreachables'', and you want to allow incoming ``must fragment'' if any server in your DMZ is attempting path MTU discovery. What else screws you up if you drop it? And is there any ICMP that you urgently need to allow out? What are the message types you need to pass to not be a good site for SYN attacks to forge from? -Bennett
Current thread:
- Re: ICMP Packets., (continued)
- Re: ICMP Packets. tqbf (Jun 02)
- Re: ICMP Packets. Darren Reed (Jun 03)
- Re: ICMP Packets. Don Kendrick (Jun 02)
- Re: ICMP Packets. Perry E. Metzger (Jun 02)
- Re: ICMP Packets. Alec Muffett - SunLabs (Jun 02)
- Re: ICMP Packets. James R Grinter (Jun 02)
- Re: ICMP Packets. Henry Hertz Hobbit (Jun 03)
- Re: ICMP Packets. Don Kendrick (Jun 02)
- Re: ICMP Packets. Perry E. Metzger (Jun 02)
- Re: ICMP Packets. Perry E. Metzger (Jun 03)
- Re: ICMP Packets. Bennett Todd (Jun 04)
- Re: ICMP Packets. Paul D. Robertson (Jun 05)
- Re: ICMP Packets. Don Kendrick (Jun 02)
- Re: ICMP Packets. Perry E. Metzger (Jun 03)
- Re: ICMP Packets. matthew green (Jun 04)
- Re: ICMP Packets. Bennett Todd (Jun 04)
- Re: ICMP Packets. Darren Reed (Jun 05)
- Re: ICMP Packets. tqbf (Jun 07)
- Re: ICMP Packets. Darren Reed (Jun 07)
- Re: ICMP Packets. blast (Jun 08)
- Re: ICMP Packets. Aleph One (Jun 09)
- Re: ICMP Packets. Perry E. Metzger (Jun 03)
- Re: ICMP Packets. tqbf (Jun 02)