Firewall Wizards mailing list archives

RE: how to block ICMP tunneling?

From: Ben Nagy <bnagy () cpms com au>
Date: Tue, 20 Jul 1999 16:11:13 +0930

My normal approach is to allow ICMP _in_, of certain types, but not allow it
_out_.

You want to be able to receive host unreachable, admin. prohibited, echo
reply, etc. You want your own traceroute, ping, et al to work!

Of particular concern are outgoing ICMP administratively prohibited (type
3/13) and echo reply (0/0, from memory). I tend to do it to frustrate scans.

Blocking all ICMP can have lots of negative implications, however.

Just a f'rinstance - I recently had a site that blocked all outgoing ICMP,
and then they found that lots of outgoing email was timing out. The reason?
The remote site sent an ident request to the local mailserver, and the
resulting ICMP error got blocked at the edge router. Because it never saw a
TCP RST, the remote mail server kept on trying the ident, and eventually the
connection dropped. Gross, I know, but that's what happens when you screw
with part of the protocol.

I fixed it in the end by rigging the router to send a TCP RST instead of an
ICMP 3/13, but the point is that ICMP is part of TCP/IP and lots of stuff
(rightly or wrongly) relies on it.

Cheers,

--
Ben Nagy
Network Consultant, CPM&S Group of Companies
Ph: +61 8 8422 8319            Mb: +61 414 411 520

-----Original Message-----
From: Kyle Starkey [mailto:KSTARKEY () altera com]
Sent: Tuesday, July 20, 1999 2:36 AM
To: 'Razvan Peteanu'; 'firewall-wizards () nfr net'
Subject: RE: how to block ICMP tunneling?

I was under the impression that ICMP should be blocked coming from the
outside.  I can't think of any reason you would want some one from the
outside PINGing, TRACRTing or otherwise Probing your internal 
network for
active hosts.  IMHO you should simply block the entire 
proctocol from the
outside.

Just my .02
Kyle

-----Original Message-----
From: Razvan Peteanu [mailto:Razvan.Peteanu () srgsoftware com]
Sent: Friday, July 16, 1999 9:08 AM
To: 'firewall-wizards () nfr net'
Subject: how to block ICMP tunneling?

BO2K has the ability to use ICMP tunneling for its traffic so 
I'm interested
in what types of ICMP messages should be blocked to prevent 
this traffic.

Thanks,
Razvan

Current thread:

BO2k : was (Re: how to block ICMP tunneling?), (continued)
- - BO2k : was (Re: how to block ICMP tunneling?) Jason Brvenik (Jul 20)
- RE: how to block ICMP tunneling? Jason Diesel (Jul 19)
  - RE: how to block ICMP tunneling? Kevin Steves (Jul 26)
- RE: how to block ICMP tunneling? Kyle Starkey (Jul 19)
  - Re: how to block ICMP tunneling? Joseph S D Yao (Jul 20)
  - Re: how to block ICMP tunneling? Chris Brenton (Jul 20)
    - Re: how to block ICMP tunneling? carson (Jul 21)
  - Re: how to block ICMP tunneling? Geva Patz (Jul 20)
- RE: how to block ICMP tunneling? Marcus J. Ranum (Jul 19)
- Re: how to block ICMP tunneling? Steven M. Bellovin (Jul 20)
- RE: how to block ICMP tunneling? Ben Nagy (Jul 20)
- Re: how to block ICMP tunneling? Ryan Russell (Jul 21)
  - Re: how to block ICMP tunneling? Dru (Jul 26)
- RE: how to block ICMP tunneling? Jason Diesel (Jul 21)
  - Re: how to block ICMP tunneling? Adam Shostack (Jul 23)
- RE: how to block ICMP tunneling? Marcus J. Ranum (Jul 23)
- Re: how to block ICMP tunneling? Sean Costello (Jul 29)
- Re: how to block ICMP tunneling? Sean Costello (Jul 29)
- Fw: how to block ICMP tunneling? Sean Costello (Jul 30)