Firewall Wizards mailing list archives

Re: ICMP Packets.

From: "Paul D. Robertson" <proberts () clark net>
Date: Fri, 5 Jun 1998 00:01:07 -0400 (EDT)

On Wed, 3 Jun 1998, Perry E. Metzger wrote:

1) Your network becomes an excellent choice when picking network
numbers for SYN flooding third parties.


If it's behind an application layer gateway, and it's a legitimately 
routable network, it doesn't change.  This is only true for packet 
filtering firewalls, and it means that you must allow the TCP packets in 
to the router.  In general, folks diallow *inbound* ICMP, not outbound, 
so it's not an issue, as you can still generate host, network, or 
administratively unreachable ICMP datagrams without allowing them inbound.

2) Testing connectivity to your network becomes a bitch and a half.


Only through the device which is blocking.  You can selectively or 
unselectivley allow certain diagnostic machines into interfaces too, so 
this isn't always a big deal.

3) Any connections you make to bad/nonexistant/down hosts take a full
timeout period to be detected instead of being noticed immediately via
UNREACHABLEs, greatly lowering your performance. This can SERIOUSLY
wack mail delivery through your firewall, for example -- I've seen
this happen in practice. Remember, they can't scan you, but you can't
get UNREACHABLEs from the machines YOU are connecting to, either.


Of course, most IP stacks allow you to tune the timeout values now.  In 
an outbound transaction oriented environment, this may be a concern, in 
which case selectively allowing ICMP to a host or set of hosts may be 
preferable to blocking, however since this only happens when you can't 
reach the machine, the value may be questionable for most real-world 
scenerios, especially if you've tuned your gateway's IP stack.

I'm a firewall fascist -- I build the things to permit only those
things I *know* to be needed, but ICMP is on that list. It makes sense 
to block perhaps certain ICMP messages, but not *all* ICMP.


Just because it's on your list doesn't mean it's on everyone's list, or 
that it's necessary to every host.  I've also seen sites where thousands 
of users are behind ICMP blocks at the border routers which have 
functioned just fine for many, many years.  Total complaints:  2, both of 
which had to do with Solaris' ping segfaulting when presented with 
administratively unreachable datagrams.

Paul
-----------------------------------------------------------------------------
Paul D. Robertson      "My statements in this message are personal opinions
proberts () clark net      which may have no basis whatsoever in fact."
                                                                     PSB#9280

Current thread:

Re: ICMP Packets., (continued)
- - Re: ICMP Packets. Darren Reed (Jun 03)
- Re: ICMP Packets. Don Kendrick (Jun 02)
  - Re: ICMP Packets. Perry E. Metzger (Jun 02)
- Re: ICMP Packets. Alec Muffett - SunLabs (Jun 02)
- Re: ICMP Packets. James R Grinter (Jun 02)
  - Re: ICMP Packets. Henry Hertz Hobbit (Jun 03)
- Re: ICMP Packets. Don Kendrick (Jun 02)
  - Re: ICMP Packets. Perry E. Metzger (Jun 02)
  - Re: ICMP Packets. Perry E. Metzger (Jun 03)
    - Re: ICMP Packets. Bennett Todd (Jun 04)
    - Re: ICMP Packets. Paul D. Robertson (Jun 05)
- Re: ICMP Packets. Don Kendrick (Jun 02)
  - Re: ICMP Packets. Perry E. Metzger (Jun 03)
    - Re: ICMP Packets. matthew green (Jun 04)
    - Re: ICMP Packets. Bennett Todd (Jun 04)
    - Re: ICMP Packets. Darren Reed (Jun 05)
    - Re: ICMP Packets. tqbf (Jun 07)
    - Re: ICMP Packets. Darren Reed (Jun 07)
    - Re: ICMP Packets. blast (Jun 08)
    - Re: ICMP Packets. Aleph One (Jun 09)
    - Re: ICMP Packets. Ge' Weijers (Jun 05)

(Thread continues...)