Firewall Wizards mailing list archives

RE: Blocking ICMP with ipchains

From: "Ryan Russell" <Ryan.Russell () sybase com>
Date: Sun, 16 Jan 2000 19:12:58 -0800

How could blocking all ICMP cause a problem?  I have worked with two rather
large networks that blocked all ICMP at the router level.  Were we just lucky
not to have any problems?


I guess.  That, or you didn't need the services that you ended up breaking.

If you don't accept ICMP unreachables, traceroute won't work.  For other
standard
ICMP unreachable stuff, you'll eventually time out instead of getting immediate
notificiation.

You'll also break MTU path discovery, which will prevent you from communicating
with a number of sites.  One that I've encountered of that sort that is popular
is Hotmail.  I'm only aware of Solaris machines having this on by default.

These ICMP messages are particularly ugly, too, since they can legitmately come
from any router between you and the host you're talking to, so there's no
way to predict what IP address they'll come from; you have to let 'em all in.

                              Ryan

Current thread:

Blocking ICMP with ipchains wwebb (Jan 13)
- Re: Blocking ICMP with ipchains Mikael Olsson (Jan 15)
- Re: Blocking ICMP with ipchains Carric Dooley (Jan 16)
- <Possible follow-ups>
- RE: Blocking ICMP with ipchains peter . schawacker (Jan 16)
- RE: Blocking ICMP with ipchains Ryan Russell (Jan 17)
- Re: Blocking ICMP with ipchains Steven M. Bellovin (Jan 17)
- RE: Blocking ICMP with ipchains Richard . Smyth (Jan 17)
- RE: Blocking ICMP with ipchains Staggs, Michael (Jan 18)