Firewall Wizards mailing list archives
Re: ICMP Filters
From: Hod Greeley <hod () Network-Alchemy COM>
Date: Mon, 01 Nov 1999 18:09:04 -0800
There are quite a few ICMP message types. See Stevens' TCP/IP Illustrated vol. 1 for details. Ping relies on ICMP echo request and reply messages. MTU discovery relies on destination unreachable-fragmentation needed error messages. Depending on how friendly you want to be with the outside world you can screen most message types besides the fragmentation needed error. Most unix traceroute implementations rely on errors generated by sending UDP packets to inactive ports (see the traceroute man page for a reasonable amount of detail), so you can't deal with this using an inbound ICMP screening rule. You could screen outbound ICMP time-to-live errors, or just block inbound UDP. I believe Microsoft's traceroute uses ICMP echo requests. Joel Snider wrote:
I am looking for the types of ICMP to filter in order to eliminate ping and traceroute from the Internet. I want to continue to ping and traceroute outbound. I have read several of the archives and seen several messages about filtered ICMP causing path MTU to not function. I have several web servers and mail servers behind the filter router. I don't want to cause any problems with the performance of these services. Also, by filtering these will I eliminate PingFlood attacks? Thanks...
Current thread:
- Re: ICMP Filters Hod Greeley (Nov 02)