Firewall Wizards mailing list archives
Re: ICMP Packets.
From: "Paul D. Robertson" <proberts () clark net>
Date: Fri, 5 Jun 1998 00:01:07 -0400 (EDT)
On Wed, 3 Jun 1998, Perry E. Metzger wrote:
1) Your network becomes an excellent choice when picking network numbers for SYN flooding third parties.
If it's behind an application layer gateway, and it's a legitimately routable network, it doesn't change. This is only true for packet filtering firewalls, and it means that you must allow the TCP packets in to the router. In general, folks diallow *inbound* ICMP, not outbound, so it's not an issue, as you can still generate host, network, or administratively unreachable ICMP datagrams without allowing them inbound.
2) Testing connectivity to your network becomes a bitch and a half.
Only through the device which is blocking. You can selectively or unselectivley allow certain diagnostic machines into interfaces too, so this isn't always a big deal.
3) Any connections you make to bad/nonexistant/down hosts take a full timeout period to be detected instead of being noticed immediately via UNREACHABLEs, greatly lowering your performance. This can SERIOUSLY wack mail delivery through your firewall, for example -- I've seen this happen in practice. Remember, they can't scan you, but you can't get UNREACHABLEs from the machines YOU are connecting to, either.
Of course, most IP stacks allow you to tune the timeout values now. In an outbound transaction oriented environment, this may be a concern, in which case selectively allowing ICMP to a host or set of hosts may be preferable to blocking, however since this only happens when you can't reach the machine, the value may be questionable for most real-world scenerios, especially if you've tuned your gateway's IP stack.
I'm a firewall fascist -- I build the things to permit only those things I *know* to be needed, but ICMP is on that list. It makes sense to block perhaps certain ICMP messages, but not *all* ICMP.
Just because it's on your list doesn't mean it's on everyone's list, or that it's necessary to every host. I've also seen sites where thousands of users are behind ICMP blocks at the border routers which have functioned just fine for many, many years. Total complaints: 2, both of which had to do with Solaris' ping segfaulting when presented with administratively unreachable datagrams. Paul ----------------------------------------------------------------------------- Paul D. Robertson "My statements in this message are personal opinions proberts () clark net which may have no basis whatsoever in fact." PSB#9280
Current thread:
- Re: ICMP Packets., (continued)
- Re: ICMP Packets. Darren Reed (Jun 03)
- Re: ICMP Packets. Don Kendrick (Jun 02)
- Re: ICMP Packets. Perry E. Metzger (Jun 02)
- Re: ICMP Packets. Alec Muffett - SunLabs (Jun 02)
- Re: ICMP Packets. James R Grinter (Jun 02)
- Re: ICMP Packets. Henry Hertz Hobbit (Jun 03)
- Re: ICMP Packets. Don Kendrick (Jun 02)
- Re: ICMP Packets. Perry E. Metzger (Jun 02)
- Re: ICMP Packets. Perry E. Metzger (Jun 03)
- Re: ICMP Packets. Bennett Todd (Jun 04)
- Re: ICMP Packets. Paul D. Robertson (Jun 05)
- Re: ICMP Packets. Don Kendrick (Jun 02)
- Re: ICMP Packets. Perry E. Metzger (Jun 03)
- Re: ICMP Packets. matthew green (Jun 04)
- Re: ICMP Packets. Bennett Todd (Jun 04)
- Re: ICMP Packets. Darren Reed (Jun 05)
- Re: ICMP Packets. tqbf (Jun 07)
- Re: ICMP Packets. Darren Reed (Jun 07)
- Re: ICMP Packets. blast (Jun 08)
- Re: ICMP Packets. Aleph One (Jun 09)
- Re: ICMP Packets. Perry E. Metzger (Jun 03)
- Re: ICMP Packets. Ge' Weijers (Jun 05)