Firewall Wizards mailing list archives
Re: ICMP blocking on PIX .4.4.1
From: Jeffery.Gieser () minnesotamutual com
Date: Fri, 21 Apr 2000 09:03:57 -0500
It has been a while since I have worked with PIX but you should just need to create a rule for ICMP traffic to get ping and traceroute to work. I did it and it worked fine. conduit permit icmp any any I would not suggest this because anyone can send ICMP traffic through your PIX. I would tighten it down so that you only allow ICMP traffic from your internal interface to your external interface. The problem is that if you tighten it down any further than the above rule traceroute will stop working. Traceroute works by sending a UDP packet, usually on port 33434, with a TTL of 1 to the IP Address you are tracerouting to. The first router that gets this packet sends an ICMP "time exceeded" message back to you and drops the UDP packet. Your computer receives this and then sends another UDP packet with a TTL of 2 and this continues until you get to the destination you are tracerouting to. Once there the host usually sends back a reset since the chances of a listen on UDP port 33434 are pretty remote. The problem here is that the return error messages from the routers along the way are not from the destination address of the UDP packet and are not the same protocol. Even "Stateful Inspection" (Sorry, I am a Sidewinder bigot and I couldn't resist a bit of sarcasm) can figure out that these packets should not be allowed through unless you have a rule allowing all ICMP from your external interface to your internal interface. Regards, Jeffery Gieser owner-firewall-wizards(a)lists.net [INTERNET.LISTSERV]@SSW 04/21/2000 02:07 AM To: Jeffery B Gieser/Minnesota Mutual@MINNESOTA MUTUAL cc: Subject: [fw-wiz] ICMP blocking on PIX .4.4.1 Yesterday our site underwent a Smurf attack which we quickly stopped by blocking ICMP traffic through the firewall. I have a need to perform tracerouts from inside to the outside through the PIX firewall (v 4.4.1.) Is there a way to allow ping and traceroute from inside to outside and still defend against smurf like attacks? ---------------------------------------------------------------- Get your free email from AltaVista at http://altavista.iname.com
Current thread:
- ICMP blocking on PIX .4.4.1 phred (Apr 20)
- Re: ICMP blocking on PIX .4.4.1 R. DuFresne (Apr 21)
- Re: ICMP blocking on PIX .4.4.1 Bill Pennington (Apr 24)
- Re: ICMP blocking on PIX .4.4.1 Adam Olson (Apr 26)
- Re: ICMP blocking on PIX .4.4.1 nawk (Apr 26)
- Re: ICMP blocking on PIX .4.4.1 Jim Seymour (Apr 27)
- Re: ICMP blocking on PIX .4.4.1 R. DuFresne (Apr 28)
- ICMP blocking on PIX .4.4.1 majordomo (Apr 28)
- Re: ICMP blocking on PIX .4.4.1 Jim Seymour (Apr 27)
- <Possible follow-ups>
- Re: ICMP blocking on PIX .4.4.1 Jeffery . Gieser (Apr 24)
- Re: ICMP blocking on PIX .4.4.1 Steven M. Bellovin (Apr 28)