Firewall Wizards mailing list archives

Previous By Date Next
Previous By Thread Next

Re: blocking icmp type 3

From: Kimmo Suominen <kim () tac nyc ny us>
Date: Fri, 25 Aug 2000 16:30:13 -0400
Jan,

I've been happy with the following (guru or not):
- ICMP ECHOREPLY (0):  so that you can ping nodes outside
- ICMP UNREACH (3):  I allow all, but consider at least the following:
  o NET(0) and HOST(1):  so you don't hang when a network is unavailable
  o PORT(3): so you don't hang when a service is not running on the remote
  o NEEDFRAG(4): if any application sets "DON'T FRAGMENT" on outgoing
    packets; Path MTU Discovery depends on this
  o ADMIN_PROHIBIT:  so you don't hang when a firewall blocks you
- ICMP SOURCEQUENCH:  I don't think I've seen this, though
- ICMP ECHO:  I started allowing ping in because too many people complained
  they couldn't ping my web/stmp/ftp/dns/other server;  you could disallow
  this and not have other than human problems
- ICMP TIMXCEED: so you don't hang when there is a routing loop;  this is
  also what traceroute depends on [INTRANS(0)]
- ICMP PARAMPROB: I don't think I've seen this, either

I would especially block the following:
- ICMP REDIRECT: these are good for DoS attacks only;  there is no reason
  to receive these through routers, and you should not see these on routers
  that have valid routing tables (it is better to fix the routing problem
  than to depend on ICMP REDIRECT messages to adjust your routing table)
- ICMP ROUTERADVERT: these may cause havoc if you use router discovery

ICMP UNREACH is another tool for DoS attacks, especially with some older
TCP/IP stacks.  I'm not up-to-date on the current situation, and would
like to hear from others on this topic.

Cheers,
+ Kim
-- 
Kimmo Suominen
Global Wire Oy
kim () tac nyc ny us
+1 (212) 699-4461


| From:    Jan Stifter <j.stifter () medres ch>
| Date:    Fri, 25 Aug 2000 07:42:10 +0200
|
| hi gurus,
| recently, i blocked on a firewall box (3 ethernet interfaces, one to
| provider, one for private ip's, one for official) icmp almost
| completely.
|
| i allowed only incoming and outgoing icmp type 3 code 4
| (fragmentation-needed), due to a paper describing the importance of
| this type of icmp-message (www.worldgate.com/~marcs/mtu/)
|
| it happened then, that there were "hangers" in the network, so that
| people from inside could not reach a site outside immediately.
|
| can anyone explain to me, what other icmp types i should allow to
| avoid any networking problems? if possible, i would like to block as
| many icmp types as possible.
|
| many thanks in advance
|
| jan
|
| ---
| Jan Stifter
| http://www.medres.ch/~jstifter/

_______________________________________________
Firewall-wizards mailing list
Firewall-wizards () nfr net
http://www.nfr.net/mailman/listinfo/firewall-wizards
Previous By Date Next
Previous By Thread Next

Current thread: