Re: ICMP blocking on PIX .4.4.1

[lk-m-wizards () bigears solsoft com (Lorens Kockum)]

On firewall-wizards GibsonB () gruntal com wrote:
> This message is in MIME format. Since your mail reader does not understand
> this format, some or all of this message may not be legible.
>
> I don't agree with this. ICMP is an invaluable tool for diagnostics.  If you
> shut it down then you are limiting your ability to troubleshoot problems.  

Agreed.

> What you want to do is allow ICMP to go out but not to come in.  Ideally
> what you want to do is allow certain types of ICMP out(ie Echo requests) and
> only certain types of ICMP to come in(ie Echo Reply, Time exceeded,
> unreachable).  This is not easily done in a router.  

I find it extremely easy. YMMV.

What /is/ difficult, well, what is impossible without a stateful
engine on your filtering device, is blocking, say, incoming ICMP
packets that do not correspond to an actual session.

The same thing applies to connected and to connectionless
protocols, actually ... the difference being that routers today
recognize the TCP established bits and can thus control who
initiates the connection.  To do that with a connectionless
protocol such as, say, outgoing UDP DNS requests from any port,
needs a stateful filtering engine.