Firewall Wizards mailing list archives
Re: Blocking ICMP with ipchains
From: Mikael Olsson <mikael.olsson () enternet se>
Date: Fri, 14 Jan 2000 14:16:10 +0100
wwebb () adni net wrote:
I've heard that it is not wise to block all ICMP operations. Such being the case, which of these ICMP operations are safe to block without causing serious problems:
We have two separate problems here. IN or OUTgoing. Unusually enough, RECEIVING ICMP errors is safer than SENDING them, due to "firewalking", a process of discovering which IP addresses are hidden behind a NAT device, such as a firewall.
echo-reply (pong) Safe In, Safe Out destination-unreachable network-unreachable In host-unreachable In protocol-unreachable In port-unreachable In fragmentation-needed In source-route-failed network-unknown host-unknown network-prohibited In host-prohibited In TOS-network-unreachable TOS-host-unreachable communication-prohibited In host-precedence-violation precedence-cutoff source-quench redirect network-redirect host-redirect TOS-network-redirect TOS-host-redirect echo-request (ping) In, Out router-advertisement router-solicitation time-exceeded (ttl-exceeded) ttl-zero-during-transit In ttl-zero-during-reassembly parameter-problem ip-header-bad required-option-missing timestamp-request timestamp-reply address-mask-request address-mask-reply
Allowing pingreqs to your inside depends on your security policy. It might help hackers in finding what machines are "up", but it might also help people do legimitate things. A lot of people choose to disallow inbound pingreqs. The reason you often do not wish to allow outbound ICMP errors such as destination unreachable is, as I said, that you'll be leaking protected addresses. If you are not NATing your protected network, this is not an issue. Some of the codes/types that I've left blank are due to real security hazards (primarily redirect), but others are due to the fact that they're simply not part of normal communications, and the less that you let in, the better. Hope this helps /Mike Oh and BTW: You might hear rumours about trojans communicating over ICMP.... So what? They communicate over DNS and HTTP too, and you're not blocking those, are you? Trojans are better defended against at host level and by having half a brain (IMHO). -- Mikael Olsson, EnterNet Sweden AB, Box 393, S-891 28 ÖRNSKÖLDSVIK Phone: +46 (0)660 105 50 Fax: +46 (0)660 122 50 Mobile: +46 (0)70 248 00 33 WWW: http://www.enternet.se E-mail: mikael.olsson () enternet se
Current thread:
- Blocking ICMP with ipchains wwebb (Jan 13)
- Re: Blocking ICMP with ipchains Mikael Olsson (Jan 15)
- Re: Blocking ICMP with ipchains Carric Dooley (Jan 16)
- <Possible follow-ups>
- RE: Blocking ICMP with ipchains peter . schawacker (Jan 16)
- RE: Blocking ICMP with ipchains Ryan Russell (Jan 17)
- Re: Blocking ICMP with ipchains Steven M. Bellovin (Jan 17)
- RE: Blocking ICMP with ipchains Richard . Smyth (Jan 17)
- RE: Blocking ICMP with ipchains Staggs, Michael (Jan 18)