Firewall Wizards mailing list archives
RE: how to block ICMP tunneling?
From: Ben Nagy <bnagy () cpms com au>
Date: Tue, 20 Jul 1999 16:11:13 +0930
My normal approach is to allow ICMP _in_, of certain types, but not allow it _out_. You want to be able to receive host unreachable, admin. prohibited, echo reply, etc. You want your own traceroute, ping, et al to work! Of particular concern are outgoing ICMP administratively prohibited (type 3/13) and echo reply (0/0, from memory). I tend to do it to frustrate scans. Blocking all ICMP can have lots of negative implications, however. Just a f'rinstance - I recently had a site that blocked all outgoing ICMP, and then they found that lots of outgoing email was timing out. The reason? The remote site sent an ident request to the local mailserver, and the resulting ICMP error got blocked at the edge router. Because it never saw a TCP RST, the remote mail server kept on trying the ident, and eventually the connection dropped. Gross, I know, but that's what happens when you screw with part of the protocol. I fixed it in the end by rigging the router to send a TCP RST instead of an ICMP 3/13, but the point is that ICMP is part of TCP/IP and lots of stuff (rightly or wrongly) relies on it. Cheers, -- Ben Nagy Network Consultant, CPM&S Group of Companies Ph: +61 8 8422 8319 Mb: +61 414 411 520
-----Original Message----- From: Kyle Starkey [mailto:KSTARKEY () altera com] Sent: Tuesday, July 20, 1999 2:36 AM To: 'Razvan Peteanu'; 'firewall-wizards () nfr net' Subject: RE: how to block ICMP tunneling? I was under the impression that ICMP should be blocked coming from the outside. I can't think of any reason you would want some one from the outside PINGing, TRACRTing or otherwise Probing your internal network for active hosts. IMHO you should simply block the entire proctocol from the outside. Just my .02 Kyle -----Original Message----- From: Razvan Peteanu [mailto:Razvan.Peteanu () srgsoftware com] Sent: Friday, July 16, 1999 9:08 AM To: 'firewall-wizards () nfr net' Subject: how to block ICMP tunneling? BO2K has the ability to use ICMP tunneling for its traffic so I'm interested in what types of ICMP messages should be blocked to prevent this traffic. Thanks, Razvan
Current thread:
- BO2k : was (Re: how to block ICMP tunneling?), (continued)
- BO2k : was (Re: how to block ICMP tunneling?) Jason Brvenik (Jul 20)
- RE: how to block ICMP tunneling? Jason Diesel (Jul 19)
- RE: how to block ICMP tunneling? Kevin Steves (Jul 26)
- RE: how to block ICMP tunneling? Kyle Starkey (Jul 19)
- Re: how to block ICMP tunneling? Joseph S D Yao (Jul 20)
- Re: how to block ICMP tunneling? Chris Brenton (Jul 20)
- Re: how to block ICMP tunneling? carson (Jul 21)
- Re: how to block ICMP tunneling? Geva Patz (Jul 20)
- RE: how to block ICMP tunneling? Marcus J. Ranum (Jul 19)
- Re: how to block ICMP tunneling? Steven M. Bellovin (Jul 20)
- RE: how to block ICMP tunneling? Ben Nagy (Jul 20)
- Re: how to block ICMP tunneling? Ryan Russell (Jul 21)
- Re: how to block ICMP tunneling? Dru (Jul 26)
- RE: how to block ICMP tunneling? Jason Diesel (Jul 21)
- Re: how to block ICMP tunneling? Adam Shostack (Jul 23)
- RE: how to block ICMP tunneling? Marcus J. Ranum (Jul 23)
- Re: how to block ICMP tunneling? Sean Costello (Jul 29)
- Re: how to block ICMP tunneling? Sean Costello (Jul 29)
- Fw: how to block ICMP tunneling? Sean Costello (Jul 30)