Firewall Wizards mailing list archives
Re: ICMP Packets.
From: "Perry E. Metzger" <perry () piermont com>
Date: Tue, 02 Jun 1998 16:00:59 -0400
"Don Kendrick" writes:
Agreed on the Path MTU stuff in theory thought it really depends what kind of traffic is going between the internal and external nets. For one, I'd rather deny ICMP and suffer some on performance.
Do you understand the actual consequences here? Someone trying to contact you is going to jack up their Path MTU and NOT get an ICMP message back, so their packets to you are going to go into space because they get frag'ed for really *loooong* periods of time until blackhole detection kicks in. Is that REALLY what you want for your network? Detecting the problem is going to be a bitch, too. If you filter ICMPs, you're also setting yourself up as an ideal network to have its IP addresses forged in someone's SYN flood attack on an innocent third party. No "Unreachable" messages means the poor victim is going to have to keep state for god knows how long while replying to a nonexistant host/port on your LAN. You are guaranteed to provide the bad guys with lots of fun. I've never understood why blocking ICMP was going to make you more secure in the first place. Lots of ICMP information is very valuable in making protocols run smoothly. Sure, some of it can be dangerous if it is misused, like redirects, but you should know what you are doing, not blindly block the whole protocol. Perry
Current thread:
- Re: ICMP Packets., (continued)
- Re: ICMP Packets. Bennett Todd (Jun 02)
- Re: ICMP Packets. Perry E. Metzger (Jun 02)
- Re: ICMP Packets. tqbf (Jun 02)
- Re: ICMP Packets. Darren Reed (Jun 03)
- Re: ICMP Packets. Don Kendrick (Jun 02)
- Re: ICMP Packets. Perry E. Metzger (Jun 02)
- Re: ICMP Packets. Alec Muffett - SunLabs (Jun 02)
- Re: ICMP Packets. James R Grinter (Jun 02)
- Re: ICMP Packets. Henry Hertz Hobbit (Jun 03)
- Re: ICMP Packets. Don Kendrick (Jun 02)
- Re: ICMP Packets. Perry E. Metzger (Jun 02)
- Re: ICMP Packets. Perry E. Metzger (Jun 03)
- Re: ICMP Packets. Bennett Todd (Jun 04)
- Re: ICMP Packets. Paul D. Robertson (Jun 05)
- Re: ICMP Packets. Don Kendrick (Jun 02)
- Re: ICMP Packets. Perry E. Metzger (Jun 03)
- Re: ICMP Packets. matthew green (Jun 04)
- Re: ICMP Packets. Bennett Todd (Jun 04)
- Re: ICMP Packets. Darren Reed (Jun 05)
- Re: ICMP Packets. tqbf (Jun 07)
- Re: ICMP Packets. Darren Reed (Jun 07)
- Re: ICMP Packets. Perry E. Metzger (Jun 03)