Firewall Wizards mailing list archives
Re: blocking all ICMP at firewalls
From: blast <blast () broder com>
Date: Fri, 17 Oct 1997 20:13:54 -0700 (PDT)
On Wed, 15 Oct 1997, Jyri Kaljundi wrote:
How should ICMP handled correctly at the firewall? The thing I want to know is if I block all ICMP at firewalls external interface, what are the things that will break? In some places I want to block both all ICMP to the firewall external interface and all ICMP going through the firewall to internal network. And since that will deny incoming echo-reply also, I think I would deny all outgoing ICMP also. Now what will happen and is this kind of configuration allowed?
ICMP is IP's janitor. Its job is to communicate error messages and other conditions that require attention. You can just blindly block all ICMP and still function but Layer 3 and Layer 4 performance will be comprimised. Below we will explore the issue from a "least priviledged" approach. The minimal set one would want is: type 3 dest. unreachable type 11 time exceeded Destination Unreachable & Time Exceeded (3 and 11) ---------------------------------------- ICMP has a type and code field you can mess with but for the most part you will want all of type 3 and type 11 if any type of Layer 3 sanity is to be achieved. I have people telling me all the time that there are parts of type 3 that can be used for denial of service attacks. While this is true to some degree, so can lots of other Layer 3 field. Allowing type 3 and type 11 will help your IP traffic a lot! Denial of service attacks are issues you manage, not issues you can get rid of. Tailoring to your Network Administrative needs -------------------------------------------- You may want to let out 'echo requests' (type 8) and let back in 'echo reply' (type 0). Again, the choice is yours. This risks are low compared to the benefits of having some network tools handy. At this point you have type 3 type 11 Again, the choice is yours. This risks are low compared to the benefits of having some network tools handy. At this point you have type 3 type 11 and type 0 and type 8 are your choice to implement
How important are ICMP source quench, time exceeded and parameter problem?
L3 Flow Control ------------- Depending how complex your networking needs are, you may need to allow type 4 source quench. What qualifies are complex? Well, if you are running any type of bandwidth allocation or resource reservation via some queueing method you would qualify. Stuff like RED (Random Early Detection), some Frame-Relay queueing, will need (or I should say like to have) ICMP source quench available. This is Layer 3 flow control and you can take it or leave it. My choice at this point is that I only allow type 4 between devices within my autonomous system and block this at my borders. Bottom line is that I allow this stuff within networks that I administrate because it is there that I know I will benefit from it. When allowing this traffic to and from the Internet, I only benefit when someone else is using and allowing type 4 traffic. It has not been a very big win so I just turn it off at the borders. Here are some other helpful sources: RFC 792 Official ICMP spec. Chapter 6 of TCP/IP Illustrated Vol. 1 Richard Stevens RFC 1349 Good luck, -blast %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% \ Tim Keanini | "The limits of my language, / / | are the limits of my world." \ \ blast () broder com | --Ludwig Wittgenstein / \ +================================================/ |Key fingerprint = 7B 68 88 41 A8 74 AB EC F0 37 98 4C 37 F7 40 D6 | / PUB KEY: http://www-swiss.ai.mit.edu/~bal/pks-commands.html \ %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
Current thread:
- blocking all ICMP at firewalls Jyri Kaljundi (Oct 17)
- Re: blocking all ICMP at firewalls Brian Mitchell (Oct 18)
- Re: blocking all ICMP at firewalls blast (Oct 18)