Educause Security Discussion mailing list archives

Re: ICMP blocking

From: Russell Fulton <r.fulton () AUCKLAND AC NZ>
Date: Fri, 8 Dec 2006 06:24:45 +1300

Gary Dobbins wrote:

Quick survey:  Who's blocking ICMP subsets (like echo requests,
traceroutes) at their borders?  Who's not?  Strong feelings about why
in either case?

we block incoming  ICMP  on the firewall up front but we then allow
pings to hosts who have ports open outbound through the firewall and the
state stuff handles the unreachable and incoming legit echo request .
We can do this since all our firewall data is stored in a database and
it it trivial to make up a list of all machines that are listening on
the 'Net.  As I see it this gives us the best of both worlds.
Diagnostics work to machines that are visible on the 'Net but you can't
easily enumerate stuff behind the firewall.

One unintended consequence of the firewall is that udp trace routes are
blocked unless the the address has a udp port open and you select that
port to trace route on.  This is a bit of a pain some times and I have
thought of opening a single high numbered upd port for those machines in
the <ping> table.  Then those in the know could get trace routes.

Russell

Current thread:

ICMP blocking Gary Dobbins (Dec 06)
- <Possible follow-ups>
- Re: ICMP blocking ken lindahl (Dec 06)
- Re: ICMP blocking Jeff Kell (Dec 06)
- Re: ICMP blocking Constantakos, William (Dec 06)
- Re: ICMP blocking Randy Marchany (Dec 06)
- Re: ICMP blocking David Gillett (Dec 06)
- Re: ICMP blocking John Ladwig (Dec 06)
- Re: ICMP blocking David Lundy (Dec 06)
- Re: ICMP blocking Gary Flynn (Dec 06)
- Re: ICMP blocking Ken Connelly (Dec 06)
- Re: ICMP blocking Russell Fulton (Dec 07)
- Re: ICMP blocking Joe St Sauver (Dec 07)