Re: blocking icmp type 3

[Patrick Darden <darden () armc org>]

For small networks (/27 and smaller, non ARIN assigned nets) you don't
need any ICMP at all.  We allow specific icmp to/from one host on my DMZ
for diagnostic purposes (traceroutes, etc.)  but otherwise we shut it
down.  We allow no icmp at all between our dmz and internal nets.


-- 
--
--Patrick Darden                Internetworking Manager             
--                              706.354.3312    darden () armc org
--                              Athens Regional Medical Center


On Fri, 25 Aug 2000, Jan Stifter wrote:

> hi gurus,
> recently, i blocked on a firewall box (3 ethernet interfaces, one to
> provider, one for private ip's, one for official) icmp almost
> completely.
>
> i allowed only incoming and outgoing icmp type 3 code 4
> (fragmentation-needed), due to a paper describing the importance of
> this type of icmp-message (www.worldgate.com/~marcs/mtu/)
>
> it happened then, that there were "hangers" in the network, so that
> people from inside could not reach a site outside immediately.
>
> can anyone explain to me, what other icmp types i should allow to
> avoid any networking problems? if possible, i would like to block as
> many icmp types as possible.
>
> many thanks in advance
>
> jan
>
> ---
> Jan Stifter
> http://www.medres.ch/~jstifter/
>
> _______________________________________________
> Firewall-wizards mailing list
> Firewall-wizards () nfr net
> http://www.nfr.net/mailman/listinfo/firewall-wizards



_______________________________________________
Firewall-wizards mailing list
Firewall-wizards () nfr net
http://www.nfr.net/mailman/listinfo/firewall-wizards