Re: ICMP Filters

[Hod Greeley <hod () Network-Alchemy COM>]

There are quite a few ICMP message types.  See Stevens' TCP/IP
Illustrated vol. 1 for details.

Ping relies on ICMP echo request and reply messages.  MTU discovery
relies on destination unreachable-fragmentation needed error messages.
Depending on how friendly you want to be with the outside world you can
screen most message types besides the fragmentation needed error.

Most unix traceroute implementations rely on errors generated by sending
UDP packets to inactive ports (see the traceroute man page for a
reasonable amount of detail), so you can't deal with this using an
inbound ICMP screening rule.  You could screen outbound
ICMP time-to-live errors, or just block inbound UDP.  I believe
Microsoft's traceroute uses ICMP echo requests.

 Joel Snider wrote:

> I am looking for the types of ICMP to filter in order
> to eliminate ping and traceroute from the Internet. I
> want to continue to ping and traceroute outbound. I
> have read several of the archives and seen several
> messages about filtered ICMP causing path MTU to not
> function. I have several web servers and mail servers
> behind the filter router. I don't want to cause any
> problems with the performance of these services. Also,
> by filtering these will I eliminate PingFlood attacks?
>
> Thanks...