Firewall Wizards mailing list archives

Re: ICMP blocking on PIX .4.4.1

From: Jeffery.Gieser () minnesotamutual com
Date: Fri, 21 Apr 2000 09:03:57 -0500


It has been a while since I have worked with PIX but you should just need to
create a rule for ICMP traffic to get ping and traceroute to work.  I did it
and it worked fine.

conduit permit icmp any any

I would not suggest this because anyone can send ICMP traffic through your
PIX.  I would tighten it down so that you only allow ICMP traffic from your
internal interface to your external interface.  The problem is that if you
tighten it down any further than the above rule traceroute will stop
working.  Traceroute works by sending a UDP packet, usually on port 33434,
with a TTL of 1 to the IP Address you are tracerouting to.  The first router
that gets this packet sends an ICMP "time exceeded" message back to you and
drops the UDP packet.  Your computer receives this and then sends another UDP
packet with a TTL of 2 and this continues until you get to the destination
you are tracerouting to.  Once there the host usually sends back a reset
since the chances of a listen on UDP port 33434 are pretty remote.  The
problem here is that the return error messages from the routers along the way
are not from the destination address of the UDP packet and are not the same
protocol.  Even "Stateful Inspection" (Sorry, I am a Sidewinder bigot and I
couldn't resist a bit of sarcasm) can figure out that these packets should
not be allowed through unless you have a rule allowing all ICMP from your
external interface to your internal interface.

Regards,
Jeffery Gieser






 owner-firewall-wizards(a)lists.net [INTERNET.LISTSERV]@SSW
 04/21/2000 02:07 AM

   To: Jeffery B Gieser/Minnesota Mutual@MINNESOTA MUTUAL
   cc:
   Subject: [fw-wiz] ICMP blocking on PIX .4.4.1

Yesterday our site underwent a Smurf attack which we quickly stopped by
blocking
ICMP traffic through the firewall.  I have a need to perform tracerouts from
inside to the outside through the PIX firewall (v 4.4.1.)  Is there a way to
allow ping and traceroute from inside to outside and still defend against
smurf
like attacks?

----------------------------------------------------------------
Get your free email from AltaVista at http://altavista.iname.com

Current thread:

ICMP blocking on PIX .4.4.1 phred (Apr 20)
- Re: ICMP blocking on PIX .4.4.1 R. DuFresne (Apr 21)
- Re: ICMP blocking on PIX .4.4.1 Bill Pennington (Apr 24)
  - Re: ICMP blocking on PIX .4.4.1 Adam Olson (Apr 26)
- Re: ICMP blocking on PIX .4.4.1 nawk (Apr 26)
  - Re: ICMP blocking on PIX .4.4.1 Jim Seymour (Apr 27)
    - Re: ICMP blocking on PIX .4.4.1 R. DuFresne (Apr 28)
    - ICMP blocking on PIX .4.4.1 majordomo (Apr 28)
- <Possible follow-ups>
- Re: ICMP blocking on PIX .4.4.1 Jeffery . Gieser (Apr 24)
- Re: ICMP blocking on PIX .4.4.1 Steven M. Bellovin (Apr 28)