Re: ICMP Packets.

["Ge' Weijers" <ge () progressive-systems com>]

This is what I came up with a while back:

Type    Description                     rule
------------------------------------------------------
0       echo reply                      allow both [1]
3       destination unreachable         allow both [3]
4       source quench                   allow both [4]
5       redirect                        allow out [2]
8       echo request                    allow out [1]
12      parameter problem               allow both
*       anything else                   block

[1] Many more possibilities exist to probe a network, so disallowing
    incoming 'ping' packets does not add much security.
[2] To help hosts on the DMZ.
[3] Some older protocol stacks (SunOS 4 comes to mind) may 
    drop established TCP connections when receiving a destination
    unreachable message. This is wrong.
[4] This ICMP message is deprecated. Trying to do flow control by
    generating more traffic was a bad idea in hindsight :-)

A firewall built using packet filters that don't keep some form of state
will not be able to block network probing. In some cases a combination of
NAT and packet filtering will improve security: a machine that does not
have a globally valid IP address can't be probed.

Ge'

On Thu, 4 Jun 1998, Bennett Todd wrote:

> So, while I've not yet looked at the RFC to translate the gist into
> actual packet types suitable for plugging into a filter, I have gotten a
> gist --- I came into this knowing about the need for the fragmentation
> packet for path MTU discovery, and Perry just taught me that I'll need
> to let some more through so people getting SYN-ed with spoofed source
> can get an ``nope, ain't me'' back from my server.

-
Ge' Weijers                                Voice: (614)326 4600
Progressive Systems, Inc.                    FAX: (614)326 4601
2000 West Henderson Rd. Suite 400
Columbus, OH 43220           http://www.Progressive-Systems.com