Firewall Wizards mailing list archives

Re: ICMP Packets.

From: john_smith () rd qms com
Date: Fri, 05 Jun 98 08:23:26 -0600


        It hit me two minutes after I clicked on send that I hadn't worded 
     my previous email correctly.  Hadn't had enough caffeine yet.  :(
     
        We allow *outbound*:
     
     - echo (type 8/code 0)
     - parameter-problem (12/[0|1])
     - source-quench (4/0)
     - ttl-exceeded (11/[0|1])
     
        and deny all other ICMP outbound.
     
        Inbound we allow all ICMP.
     
        This allows us to ping sites and allows our customers to get basic 
     error messages.
     
        Given the wording below this is the exact opposite of our policy.  
     Guess I'm going to have to rethink some things.  At least this list 
     does seem to work for us.
     
           Once again please let me know if you spot any problems with this 
     list.
     
        If I've gotten anything wrong again please let me know and I'll go 
     back home and go back to bed.  ;)
     
     jcs
     
     
     ______________________________ Forward Header _______________________
     Subject: Re: ICMP Packets.
     Author:  john smith at QMS-RD
     Date:    6/5/98 8:01 AM


        I knew I had seen this thread before.  Searched my personal 
     archives and came across it in the Firewalls Digest (V6 #295, #299, 
     #304 and #305) under the thread titled "what ICMP should i allow 
     through?".  Based on that discussion we modified our filter rules as 
     follows:
     
     Inbound Allow:
     
     - echo (type 8/code 0)
     - parameter-problem (12/[0|1])
     - source-quench (4/0)
     - ttl-exceeded (11/[0|1])
     
     Deny all other inbound ICMP.
     
     Outbound we allow all ICMP packets.
     
        This complies with our policy of permit all outbound and deny all 
     inbound except what is specifically permitted.  This list works *for 
     us* and does not seem to cause any connection problems (at least no 
     customer connectivity complaints).
     
        If any of you spot any obvious problems with this please point them 
     out.
     
     jcs
     
     John C. Smith
     Sys Admin/Jack-of-all-trades
     QMS, Inc.
     1 Magnum Pass
     Mobile, AL  36618, USA
     (334) 633-4300
     john_smith () rd qms com

Current thread:

Re: ICMP Packets., (continued)
- - - Re: ICMP Packets. blast (Jun 08)
    - Re: ICMP Packets. Aleph One (Jun 09)
    - Re: ICMP Packets. Ge' Weijers (Jun 05)
    - Re: ICMP Packets. Bennett Todd (Jun 05)
    - Re: ICMP Packets. tqbf (Jun 04)
    - Re: ICMP Packets. Paul D. Robertson (Jun 05)
- Re: ICMP Packets. Andrew Yeomans (Jun 03)
- Re: ICMP Packets. john_smith (Jun 05)
  - Re: ICMP Packets.uy tqbf (Jun 07)
  - Re: ICMP Packets. Henry Hertz Hobbit (Jun 07)
- Re: ICMP Packets. john_smith (Jun 05)
  - Re: ICMP Packets. tqbf (Jun 07)
- Re: ICMP Packets. Vern Paxson (Jun 12)
  - Re: ICMP Packets. Aleph One (Jun 12)
- RE: ICMP Packets. Krammes,Jim (Jun 13)