Firewall Wizards mailing list archives

Previous By Date Next
Previous By Thread Next

Re: ICMP Packets.

From: tqbf () pobox com
Date: Sat, 6 Jun 1998 03:33:33 -0500 (CDT)
        It hit me two minutes after I clicked on send that I hadn't worded 
     my previous email correctly.  Hadn't had enough caffeine yet.  :(



        We allow *outbound*:


Sorry, didn't see this message until later in my mail spool.


     - echo (type 8/code 0)
     - parameter-problem (12/[0|1])
     - source-quench (4/0)
     - ttl-exceeded (11/[0|1])



        and deny all other ICMP outbound.



        Inbound we allow all ICMP.


This seems like a poor policy to me. By allowing arbitrary inbound ICMP
(and restricting ICMP transactions based on outbound responses) you open
yourself to whatever attacks may exist due to buggy implementations
mishandling messages --- a good filter design should shield you from any
potential sources of bugs on your internal machines.

If you want to allow internal hosts to ping outbound, filter inbound echo
requests and allow them outbound. If you want to be paranoid, filter
outbound echo reply messages, too. Admittedly, the only way to stop
traceroute from working is to filter the outbound TTL exceeded messages,
but you're not doing that here (perhaps your policy allows traceroutes).

-----------------------------------------------------------------------------
Thomas H. Ptacek          The Company Formerly Known As Secure Networks, Inc.
-----------------------------------------------------------------------------
http://www.pobox.com/~tqbf       "If you're so special, why aren't you dead?"
Previous By Date Next
Previous By Thread Next

Current thread: