Firewall Wizards mailing list archives
Re: blocking icmp type 3
From: Kimmo Suominen <kim () tac nyc ny us>
Date: Fri, 25 Aug 2000 16:30:13 -0400
Jan, I've been happy with the following (guru or not): - ICMP ECHOREPLY (0): so that you can ping nodes outside - ICMP UNREACH (3): I allow all, but consider at least the following: o NET(0) and HOST(1): so you don't hang when a network is unavailable o PORT(3): so you don't hang when a service is not running on the remote o NEEDFRAG(4): if any application sets "DON'T FRAGMENT" on outgoing packets; Path MTU Discovery depends on this o ADMIN_PROHIBIT: so you don't hang when a firewall blocks you - ICMP SOURCEQUENCH: I don't think I've seen this, though - ICMP ECHO: I started allowing ping in because too many people complained they couldn't ping my web/stmp/ftp/dns/other server; you could disallow this and not have other than human problems - ICMP TIMXCEED: so you don't hang when there is a routing loop; this is also what traceroute depends on [INTRANS(0)] - ICMP PARAMPROB: I don't think I've seen this, either I would especially block the following: - ICMP REDIRECT: these are good for DoS attacks only; there is no reason to receive these through routers, and you should not see these on routers that have valid routing tables (it is better to fix the routing problem than to depend on ICMP REDIRECT messages to adjust your routing table) - ICMP ROUTERADVERT: these may cause havoc if you use router discovery ICMP UNREACH is another tool for DoS attacks, especially with some older TCP/IP stacks. I'm not up-to-date on the current situation, and would like to hear from others on this topic. Cheers, + Kim -- Kimmo Suominen Global Wire Oy kim () tac nyc ny us +1 (212) 699-4461 | From: Jan Stifter <j.stifter () medres ch> | Date: Fri, 25 Aug 2000 07:42:10 +0200 | | hi gurus, | recently, i blocked on a firewall box (3 ethernet interfaces, one to | provider, one for private ip's, one for official) icmp almost | completely. | | i allowed only incoming and outgoing icmp type 3 code 4 | (fragmentation-needed), due to a paper describing the importance of | this type of icmp-message (www.worldgate.com/~marcs/mtu/) | | it happened then, that there were "hangers" in the network, so that | people from inside could not reach a site outside immediately. | | can anyone explain to me, what other icmp types i should allow to | avoid any networking problems? if possible, i would like to block as | many icmp types as possible. | | many thanks in advance | | jan | | --- | Jan Stifter | http://www.medres.ch/~jstifter/ _______________________________________________ Firewall-wizards mailing list Firewall-wizards () nfr net http://www.nfr.net/mailman/listinfo/firewall-wizards
Current thread:
- blocking icmp type 3 Jan Stifter (Aug 25)
- Re: blocking icmp type 3 Kimmo Suominen (Aug 26)
- Re: blocking icmp type 3 Alexander Schreiber (Aug 26)
- Re: blocking icmp type 3 Patrick Darden (Aug 26)
- RE: blocking icmp type 3 Ofir Arkin (Aug 26)
- Re: blocking icmp type 3 Gé Weijers (Aug 28)