Firewall Wizards mailing list archives

Re: blocking icmp type 3

From: Alexander Schreiber <Alexander.Schreiber () Informatik TU-Chemnitz DE>
Date: Sat, 26 Aug 2000 00:34:04 +0200 (MET DST)

On Fri, 25 Aug 2000, Jan Stifter wrote:

hi gurus,
recently, i blocked on a firewall box (3 ethernet interfaces, one to
provider, one for private ip's, one for official) icmp almost
completely.

i allowed only incoming and outgoing icmp type 3 code 4
(fragmentation-needed), due to a paper describing the importance of
this type of icmp-message (www.worldgate.com/~marcs/mtu/)

it happened then, that there were "hangers" in the network, so that
people from inside could not reach a site outside immediately.

can anyone explain to me, what other icmp types i should allow to
avoid any networking problems? if possible, i would like to block as
many icmp types as possible.


You should also allow the different unreachable types (port/host/net) so
your clients don't have to wait for timeouts if they try to access 
services that are not available.

Regards,
       Alex.
-- 
------------------------------------------------------------------------------ 
 EMail : als () thangorodrim de              | WWW : http://www.thangorodrim.de/
 "I think there's a world market for about five computers."
         -- attr. Thomas J. Watson (Chairman of the Board, IBM), 1943


_______________________________________________
Firewall-wizards mailing list
Firewall-wizards () nfr net
http://www.nfr.net/mailman/listinfo/firewall-wizards

Current thread:

blocking icmp type 3 Jan Stifter (Aug 25)
- Re: blocking icmp type 3 Kimmo Suominen (Aug 26)
- Re: blocking icmp type 3 Alexander Schreiber (Aug 26)
- Re: blocking icmp type 3 Patrick Darden (Aug 26)
- RE: blocking icmp type 3 Ofir Arkin (Aug 26)
- Re: blocking icmp type 3 Gé Weijers (Aug 28)