Firewall Wizards mailing list archives

Previous By Date Next
Previous By Thread Next

Re: ICMP blocking on PIX .4.4.1

From: jseymour () LinxNet com (Jim Seymour)
Date: Thu, 27 Apr 2000 09:40:48 -0400 (EDT)
nawk <nawk () real-secure com> wrote:


      I think it's best practice to block things like icmp and spoofing
on your routers not firewall. The firewall is just to block things like
ports and provent access to your internal network.


Two schools of thought on that.  The consultant that installed our
first Gauntlet firewall (TIS was offering at the time free installs and
one day of training for up to three people) recommended that the router
be stripped of *all* packet filtering rules so that the firewall would
see everything.  His logic was that Gauntlet was much more capable at
detecting and reporting activity than was the firewall router.

My feeling was that sufficient rules to protect the *router* itself had
to remain.  So that's what I did: the router has only enough rules in
it to protect *it*.  The firewall gets everything else.  (Except when I
get really fed up with something.  Then I block it at the router.)

Note also that there is a potential problem in simply out-right
blocking all ICMP at the router.  If you're running a mail gateway on
the firewall (as I do [Postfix]), blocking ICMP path MTU discovery can
lead to SMTP sessions timing-out on large emails.  (See, for example:
http://msgs.SecurePoint.com/cgi-bin/get/postfix9904/37/1.html.)  And I
don't see any particular reason why others shouldn't be allowed to ping
my firewall.

Allowing ICMP (or any connection-less protocol, such as UDP) *through*
the firewall is another issue entirely.  Connection-less protocols are
not safe.  Cannot be made safe.  Other than perhaps allowing syslog
from the router to a syslog host, specifically, I don't see any
particular reason to allow any UDP through a firewall.

As regards the original poster's query: I don't know the PIX firewall,
but wouldn't it be possible to log on to the PIX and run your pings and
traceroutes from there?  Less convenient, to be sure.  But far safer
than allowing UDP through it, I should think.  I'll take safety over
convenience any day.


Regards,
Jim
-- 
Jim Seymour                  | PGP Public Key available at:
jseymour () LinxNet com         | http://www.cam.ac.uk.pgp.net/pgpnet/wwwkeys.html
http://home.msen.com/~jimsun | http://www.trustcenter.de/cgi-bin/SearchCert.cgi
Previous By Date Next
Previous By Thread Next

Current thread: