Firewall Wizards mailing list archives
blocking all ICMP at firewalls
From: Jyri Kaljundi <jk () stallion ee>
Date: Wed, 15 Oct 1997 18:40:36 +0300 (EET DST)
How should ICMP handled correctly at the firewall? The thing I want to know is if I block all ICMP at firewalls external interface, what are the things that will break? In some places I want to block both all ICMP to the firewall external interface and all ICMP going through the firewall to internal network. And since that will deny incoming echo-reply also, I think I would deny all outgoing ICMP also. Now what will happen and is this kind of configuration allowed? How important are ICMP source quench, time exceeded and parameter problem? In theory what I think will happen is there will be cases where one side is sending too much information which the other side will not receive (because of source quench not allowed they can not tell each other to slow down). And there might be cases where one side is down and we do not get host unreachable in certain time, but we could live with that, most services still can be manually stopped. And will I get angry network administrators shouting at me because ICMP should be always allowed on Internet and I am breaking things? Jyri Kaljundi jk () stallion ee AS Stallion Ltd http://www.stallion.ee/
Current thread:
- blocking all ICMP at firewalls Jyri Kaljundi (Oct 17)
- Re: blocking all ICMP at firewalls Brian Mitchell (Oct 18)
- Re: blocking all ICMP at firewalls blast (Oct 18)