Firewall Wizards mailing list archives
Re: ICMP Packets.
From: "Ge' Weijers" <ge () progressive-systems com>
Date: Fri, 5 Jun 1998 11:42:27 -0400 (EDT)
This is what I came up with a while back: Type Description rule ------------------------------------------------------ 0 echo reply allow both [1] 3 destination unreachable allow both [3] 4 source quench allow both [4] 5 redirect allow out [2] 8 echo request allow out [1] 12 parameter problem allow both * anything else block [1] Many more possibilities exist to probe a network, so disallowing incoming 'ping' packets does not add much security. [2] To help hosts on the DMZ. [3] Some older protocol stacks (SunOS 4 comes to mind) may drop established TCP connections when receiving a destination unreachable message. This is wrong. [4] This ICMP message is deprecated. Trying to do flow control by generating more traffic was a bad idea in hindsight :-) A firewall built using packet filters that don't keep some form of state will not be able to block network probing. In some cases a combination of NAT and packet filtering will improve security: a machine that does not have a globally valid IP address can't be probed. Ge' On Thu, 4 Jun 1998, Bennett Todd wrote:
So, while I've not yet looked at the RFC to translate the gist into actual packet types suitable for plugging into a filter, I have gotten a gist --- I came into this knowing about the need for the fragmentation packet for path MTU discovery, and Perry just taught me that I'll need to let some more through so people getting SYN-ed with spoofed source can get an ``nope, ain't me'' back from my server.
- Ge' Weijers Voice: (614)326 4600 Progressive Systems, Inc. FAX: (614)326 4601 2000 West Henderson Rd. Suite 400 Columbus, OH 43220 http://www.Progressive-Systems.com
Current thread:
- Re: ICMP Packets., (continued)
- Re: ICMP Packets. Paul D. Robertson (Jun 05)
- Re: ICMP Packets. Don Kendrick (Jun 02)
- Re: ICMP Packets. Perry E. Metzger (Jun 03)
- Re: ICMP Packets. matthew green (Jun 04)
- Re: ICMP Packets. Bennett Todd (Jun 04)
- Re: ICMP Packets. Darren Reed (Jun 05)
- Re: ICMP Packets. tqbf (Jun 07)
- Re: ICMP Packets. Darren Reed (Jun 07)
- Re: ICMP Packets. blast (Jun 08)
- Re: ICMP Packets. Aleph One (Jun 09)
- Re: ICMP Packets. Perry E. Metzger (Jun 03)
- Re: ICMP Packets. Ge' Weijers (Jun 05)
- Re: ICMP Packets. Bennett Todd (Jun 05)
- Re: ICMP Packets. tqbf (Jun 04)
- Re: ICMP Packets. Paul D. Robertson (Jun 05)
- Re: ICMP Packets.uy tqbf (Jun 07)
- Re: ICMP Packets. Henry Hertz Hobbit (Jun 07)
- Re: ICMP Packets. tqbf (Jun 07)