Educause Security Discussion mailing list archives
Re: ICMP blocking
From: Russell Fulton <r.fulton () AUCKLAND AC NZ>
Date: Fri, 8 Dec 2006 06:24:45 +1300
Gary Dobbins wrote:
Quick survey: Who's blocking ICMP subsets (like echo requests, traceroutes) at their borders? Who's not? Strong feelings about why in either case?
we block incoming ICMP on the firewall up front but we then allow pings to hosts who have ports open outbound through the firewall and the state stuff handles the unreachable and incoming legit echo request . We can do this since all our firewall data is stored in a database and it it trivial to make up a list of all machines that are listening on the 'Net. As I see it this gives us the best of both worlds. Diagnostics work to machines that are visible on the 'Net but you can't easily enumerate stuff behind the firewall. One unintended consequence of the firewall is that udp trace routes are blocked unless the the address has a udp port open and you select that port to trace route on. This is a bit of a pain some times and I have thought of opening a single high numbered upd port for those machines in the <ping> table. Then those in the know could get trace routes. Russell
Current thread:
- ICMP blocking Gary Dobbins (Dec 06)
- <Possible follow-ups>
- Re: ICMP blocking ken lindahl (Dec 06)
- Re: ICMP blocking Jeff Kell (Dec 06)
- Re: ICMP blocking Constantakos, William (Dec 06)
- Re: ICMP blocking Randy Marchany (Dec 06)
- Re: ICMP blocking David Gillett (Dec 06)
- Re: ICMP blocking John Ladwig (Dec 06)
- Re: ICMP blocking David Lundy (Dec 06)
- Re: ICMP blocking Gary Flynn (Dec 06)
- Re: ICMP blocking Ken Connelly (Dec 06)
- Re: ICMP blocking Russell Fulton (Dec 07)
- Re: ICMP blocking Joe St Sauver (Dec 07)