Firewall Wizards mailing list archives

Previous By Date Next
Previous By Thread Next

Re: ICMP blocking on PIX .4.4.1

From: Adam Olson <adamo () quaartz com>
Date: Tue, 25 Apr 2000 10:13:59 -0700 (PDT)

  I've configured my upstream router to permit outbound icmp echos on the
serial interface and to permit inbound icmp ttl-exceeded/echo-replies on
the same int....

  Couldn't you add ACL rules on the PIX to do the same thing
without opening yourself up this type of DoS?  You'd be using source and
destination IPs to determine what's inbound and outbound...the only rule
that I'd be concerned about is permitting icmp echos from internal_ip
destined to any, but this wouldn't be a problem provided ingress filtering
has been applied.

  Let me know :)
 
  Adam
  
      

On Fri, 21 Apr 2000, Bill Pennington wrote:


I have the same issue. What I do is turn on ICMP when I need do
traceroutes or pings. Kinda inconvenient. I actually find I do not need
to perform a lot of traceroutes/pings when it requires a lot more effort
to do so :-)

phred () pacificwest com wrote:


Yesterday our site underwent a Smurf attack which we quickly stopped by blocking ICMP traffic through the firewall. 
 I have a need to perform tracerouts from inside to the outside through the PIX firewall (v 4.4.1.)  Is there a way 
to allow ping and traceroute from inside to outside and still defend against smurf like attacks?

----------------------------------------------------------------
Get your free email from AltaVista at http://altavista.iname.com


-- 


Bill Pennington
Senior IT Manager
Rocketcash
billp () rocketcash com
http://www.rocketcash.com
Previous By Date Next
Previous By Thread Next

Current thread: