Firewall Wizards mailing list archives

Re: ICMP Packets.uy

From: tqbf () pobox com
Date: Sat, 6 Jun 1998 03:29:25 -0500 (CDT)

     Inbound Allow:
     
     - echo (type 8/code 0)
     - paramter-problem (12/[0|1])
     - source-quench (4/0)
     - ttl-exceeded (11/[0|1])
     
     Deny all other inbound ICMP.


I don't understand this at all. You're allowing ECHO and, presumably,
outbound TTL-EXCEEDED messages, which are the most obvious avenues for
information gathering attacks, but not allowing arbitrary unreachable
messages (thus breaking path MTU). 

Additionally, why are you allowing parameter-problem messages? Are you 
allowing your filter to pass packets with IP options? Why?

-----------------------------------------------------------------------------
Thomas H. Ptacek          The Company Formerly Known As Secure Networks, Inc.
-----------------------------------------------------------------------------
http://www.pobox.com/~tqbf       "If you're so special, why aren't you dead?"

Current thread:

Re: ICMP Packets., (continued)
- - - Re: ICMP Packets. tqbf (Jun 07)
    - Re: ICMP Packets. Darren Reed (Jun 07)
    - Re: ICMP Packets. blast (Jun 08)
    - Re: ICMP Packets. Aleph One (Jun 09)
    - Re: ICMP Packets. Ge' Weijers (Jun 05)
    - Re: ICMP Packets. Bennett Todd (Jun 05)
    - Re: ICMP Packets. tqbf (Jun 04)
    - Re: ICMP Packets. Paul D. Robertson (Jun 05)
- Re: ICMP Packets. Andrew Yeomans (Jun 03)
- Re: ICMP Packets. john_smith (Jun 05)
  - Re: ICMP Packets.uy tqbf (Jun 07)
  - Re: ICMP Packets. Henry Hertz Hobbit (Jun 07)
- Re: ICMP Packets. john_smith (Jun 05)
  - Re: ICMP Packets. tqbf (Jun 07)
- Re: ICMP Packets. Vern Paxson (Jun 12)
  - Re: ICMP Packets. Aleph One (Jun 12)
- RE: ICMP Packets. Krammes,Jim (Jun 13)