Firewall Wizards mailing list archives

Re: how to block ICMP tunneling?

From: "Geva Patz" <geva () planet co za>
Date: Tue, 20 Jul 1999 16:42:38 +0200

I was under the impression that ICMP should be blocked coming from the
outside.  I can't think of any reason you would want some one from the
outside PINGing, TRACRTing or otherwise Probing your internal network for
active hosts.  IMHO you should simply block the entire proctocol from the
outside.


I have experienced issues with this breaking path MTU discovery (which
relies on an ICMP code 3, type 4 packets returning). The behaviour I've seen
was in a configuration which looked like this (I'm leaving out a lot of
irrelevant intermediate steps in this picture):

+--------+   +----+     +--------+   +--------+
| Server |---| FW |-----| Router |---| Client |
+--------+   +----+     +--------+   +--------+

The server (which I believe was running Solaris) was 'inside' the firewall,
(which I believe was running Checkpoint FW/1); everything else was
'outside'. The firewall was configured for 'no incoming ICMP', but would
allow HTTP connections to the server. The router was configured with a small
MTU (600).

The client would successfully complete the three-way handshake with port 80
on the server, and would successfully send a small packet with the HTTP GET
request in it. The server responded with an 1100-byte long packet containing
the (small) home page in its entirety. This packed had the Don't Fragment
flag set. The packet made it as far as the router, which dropped it and sent
back and ICMP 3/4 response (packet too big). This got swallowed by the
firewall, and the server (which was clearly running a TCP stack without a
lot of initiative) kept sending 1100-byte packets which never made it to
their destination.

The result was that all users behind the router were unable to access the
web site on the remote server. Since the firewall and the server were at
another organisation beyond my control, and since the MTU on the router
could not be raised for various reasons, the only workaround I could find
was to site a HTTP proxy server on the 'front' side of the router and route
requests for the users behind the router through that.

-- Geva

Current thread:

Re: how to block ICMP tunneling?, (continued)
- - Re: how to block ICMP tunneling? Sebastian Krahmer (Jul 19)
- Re: how to block ICMP tunneling? Ted Doty (Jul 18)
- Re: how to block ICMP tunneling? Adam Shostack (Jul 19)
  - BO2k : was (Re: how to block ICMP tunneling?) Jason Brvenik (Jul 20)
- RE: how to block ICMP tunneling? Jason Diesel (Jul 19)
  - RE: how to block ICMP tunneling? Kevin Steves (Jul 26)
- RE: how to block ICMP tunneling? Kyle Starkey (Jul 19)
  - Re: how to block ICMP tunneling? Joseph S D Yao (Jul 20)
  - Re: how to block ICMP tunneling? Chris Brenton (Jul 20)
    - Re: how to block ICMP tunneling? carson (Jul 21)
  - Re: how to block ICMP tunneling? Geva Patz (Jul 20)
- RE: how to block ICMP tunneling? Marcus J. Ranum (Jul 19)
- Re: how to block ICMP tunneling? Steven M. Bellovin (Jul 20)
- RE: how to block ICMP tunneling? Ben Nagy (Jul 20)
- Re: how to block ICMP tunneling? Ryan Russell (Jul 21)
  - Re: how to block ICMP tunneling? Dru (Jul 26)
- RE: how to block ICMP tunneling? Jason Diesel (Jul 21)
  - Re: how to block ICMP tunneling? Adam Shostack (Jul 23)
- RE: how to block ICMP tunneling? Marcus J. Ranum (Jul 23)
- Re: how to block ICMP tunneling? Sean Costello (Jul 29)
- Re: how to block ICMP tunneling? Sean Costello (Jul 29)

(Thread continues...)