RE: Blocking ICMP with ipchains

["Staggs, Michael" <Michael_Staggs () NAI com>]

Carric is right. The appropriate firewall paradigm is to block EVERYTHING as
a first step. Then allow what you need. This does not apply to only ICMP, it
applies to all protocols- period.

 Plug in a Sniffer on the wire at both the untrusted and the trusted
interfaces. What protocols are in use on your network now? Do you need them?
Why enable a possible problem that exists with a protocol or an app that you
don't even use? Plan your installation accordingly.

Configure your firewall in parallel with your existing gateway. Schedule
downtime for the cutover. Keep your Sniffer handy to troubleshoot. Above all
remember that firewalls are not easy- it takes knowledge of mail, DNS,
routing, TCP, IP, UDP, OS's, you get the picture. Take it easy on yourself
if you don't know everything at once. Time and experience will take care of
it.

Good luck

MJ

-----Original Message-----
From: Carric Dooley [mailto:carric () com2usa com]
Sent: Friday, January 14, 2000 9:02 AM
To: wwebb () adni net; firewall-wizards () nfr net
Subject: Re: Blocking ICMP with ipchains


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

That is kind of the opposite way to look at it...  Block ALL ICMP and
then allow:

echo reply
source quench
destination unreachable
(and time exceeded if you use traceroute a lot)

This just let's a response come back when you ping a host, lets
routers tell you you are sending too much traffic and that your
destination is unreachable, and the Time Exceeded I left open to get
responses when doing a traceroute.


Carric Dooley
Network Security Consultant

"A little inaccuracy sometimes saves a ton of explanation. " 
- - H. H. Munro (Saki) (1870-1916) 
- ----- Original Message ----- 
From: <wwebb () adni net>
To: <firewall-wizards () nfr net>
Sent: Tuesday, January 11, 2000 7:18 PM
Subject: Blocking ICMP with ipchains


> I've heard that it is not wise to block all ICMP operations.  Such 
> being the case, which of these ICMP operations are safe to block 
> without causing serious problems: 
>
> echo-reply (pong)
> destination-unreachable
>    network-unreachable
>    host-unreachable
>    protocol-unreachable
>    port-unreachable
>    fragmentation-needed
>    source-route-failed
>    network-unknown
>    host-unknown
>    network-prohibited
>    host-prohibited
>    TOS-network-unreachable
>    TOS-host-unreachable
>    communication-prohibited
>    host-precedence-violation
>    precedence-cutoff
> source-quench
> redirect
>    network-redirect
>    host-redirect
>    TOS-network-redirect
>    TOS-host-redirect
> echo-request (ping)
> router-advertisement
> router-solicitation
> time-exceeded (ttl-exceeded)
>    ttl-zero-during-transit
>    ttl-zero-during-reassembly
> parameter-problem
>    ip-header-bad
>    required-option-missing
> timestamp-request
> timestamp-reply
> address-mask-request
> address-mask-reply
>
> Thanks for any assistance.

-----BEGIN PGP SIGNATURE-----
Version: PGPfreeware 6.5.1 for non-commercial use <http://www.pgp.com>

iQA/AwUBOH9WheuEoPqp8SMeEQJO2QCgj7yC219XFbuUBGuWbQp1E7hX8ywAoMsW
UzFROSC1kouTn7ca8+wHQnCH
=BU8q
-----END PGP SIGNATURE-----