Firewall Wizards mailing list archives
Re: ICMP blocking on PIX .4.4.1
From: jseymour () LinxNet com (Jim Seymour)
Date: Thu, 27 Apr 2000 09:40:48 -0400 (EDT)
nawk <nawk () real-secure com> wrote:
I think it's best practice to block things like icmp and spoofing on your routers not firewall. The firewall is just to block things like ports and provent access to your internal network.
Two schools of thought on that. The consultant that installed our first Gauntlet firewall (TIS was offering at the time free installs and one day of training for up to three people) recommended that the router be stripped of *all* packet filtering rules so that the firewall would see everything. His logic was that Gauntlet was much more capable at detecting and reporting activity than was the firewall router. My feeling was that sufficient rules to protect the *router* itself had to remain. So that's what I did: the router has only enough rules in it to protect *it*. The firewall gets everything else. (Except when I get really fed up with something. Then I block it at the router.) Note also that there is a potential problem in simply out-right blocking all ICMP at the router. If you're running a mail gateway on the firewall (as I do [Postfix]), blocking ICMP path MTU discovery can lead to SMTP sessions timing-out on large emails. (See, for example: http://msgs.SecurePoint.com/cgi-bin/get/postfix9904/37/1.html.) And I don't see any particular reason why others shouldn't be allowed to ping my firewall. Allowing ICMP (or any connection-less protocol, such as UDP) *through* the firewall is another issue entirely. Connection-less protocols are not safe. Cannot be made safe. Other than perhaps allowing syslog from the router to a syslog host, specifically, I don't see any particular reason to allow any UDP through a firewall. As regards the original poster's query: I don't know the PIX firewall, but wouldn't it be possible to log on to the PIX and run your pings and traceroutes from there? Less convenient, to be sure. But far safer than allowing UDP through it, I should think. I'll take safety over convenience any day. Regards, Jim -- Jim Seymour | PGP Public Key available at: jseymour () LinxNet com | http://www.cam.ac.uk.pgp.net/pgpnet/wwwkeys.html http://home.msen.com/~jimsun | http://www.trustcenter.de/cgi-bin/SearchCert.cgi
Current thread:
- ICMP blocking on PIX .4.4.1 phred (Apr 20)
- Re: ICMP blocking on PIX .4.4.1 R. DuFresne (Apr 21)
- Re: ICMP blocking on PIX .4.4.1 Bill Pennington (Apr 24)
- Re: ICMP blocking on PIX .4.4.1 Adam Olson (Apr 26)
- Re: ICMP blocking on PIX .4.4.1 nawk (Apr 26)
- Re: ICMP blocking on PIX .4.4.1 Jim Seymour (Apr 27)
- Re: ICMP blocking on PIX .4.4.1 R. DuFresne (Apr 28)
- ICMP blocking on PIX .4.4.1 majordomo (Apr 28)
- Re: ICMP blocking on PIX .4.4.1 Jim Seymour (Apr 27)
- <Possible follow-ups>
- Re: ICMP blocking on PIX .4.4.1 Jeffery . Gieser (Apr 24)
- Re: ICMP blocking on PIX .4.4.1 Steven M. Bellovin (Apr 28)