Firewall Wizards mailing list archives

Re: ICMP Packets.

From: Alec Muffett - SunLabs <Alec.Muffett () UK Sun COM>
Date: Tue, 02 Jun 1998 14:29:51 +0100

1) Is there any reason that echo reply would need to be allowed out in =
response to an external request? I know this is the case for other ICMP =
messages such as packet-too-big, but I am not sure why echo-reply would =
ever be needed


Sometimes, if you have your own DNS domain, your NIC will want to ping your 
DNS server at regular intervals to check that it is alive; since the DNS 
server is likely to be inside your perimeter router, this is one possible 
instance where it may be necessary.  I saw this happen with ".com.ru", IIRC.

Nonetheless, as other have said, ban *everything* and then only explicitly 
permit the minimum set of functionality that is required for business function.

        - alec

-- 
    alec muffett, sun microsystems laboratories, alec.muffett @ uk.sun.com
               birds and planes go through the rainbow every day

Current thread:

ICMP Packets. Toddb (Jun 01)
- Re: ICMP Packets. Henry Hertz Hobbit (Jun 02)
  - Re: ICMP Packets. Bennett Todd (Jun 02)
  - Re: ICMP Packets. Perry E. Metzger (Jun 02)
- Re: ICMP Packets. tqbf (Jun 02)
  - Re: ICMP Packets. Darren Reed (Jun 03)
- <Possible follow-ups>
- Re: ICMP Packets. Don Kendrick (Jun 02)
  - Re: ICMP Packets. Perry E. Metzger (Jun 02)
- Re: ICMP Packets. Alec Muffett - SunLabs (Jun 02)
- Re: ICMP Packets. James R Grinter (Jun 02)
  - Re: ICMP Packets. Henry Hertz Hobbit (Jun 03)
- Re: ICMP Packets. Don Kendrick (Jun 02)
  - Re: ICMP Packets. Perry E. Metzger (Jun 02)
  - Re: ICMP Packets. Perry E. Metzger (Jun 03)
    - Re: ICMP Packets. Bennett Todd (Jun 04)
    - Re: ICMP Packets. Paul D. Robertson (Jun 05)
- Re: ICMP Packets. Don Kendrick (Jun 02)
  - Re: ICMP Packets. Perry E. Metzger (Jun 03)
    - Re: ICMP Packets. matthew green (Jun 04)

(Thread continues...)