Firewall Wizards mailing list archives
RE: Blocking ICMP with ipchains
From: "Staggs, Michael" <Michael_Staggs () NAI com>
Date: Mon, 17 Jan 2000 19:59:18 -0800
Carric is right. The appropriate firewall paradigm is to block EVERYTHING as a first step. Then allow what you need. This does not apply to only ICMP, it applies to all protocols- period. Plug in a Sniffer on the wire at both the untrusted and the trusted interfaces. What protocols are in use on your network now? Do you need them? Why enable a possible problem that exists with a protocol or an app that you don't even use? Plan your installation accordingly. Configure your firewall in parallel with your existing gateway. Schedule downtime for the cutover. Keep your Sniffer handy to troubleshoot. Above all remember that firewalls are not easy- it takes knowledge of mail, DNS, routing, TCP, IP, UDP, OS's, you get the picture. Take it easy on yourself if you don't know everything at once. Time and experience will take care of it. Good luck MJ -----Original Message----- From: Carric Dooley [mailto:carric () com2usa com] Sent: Friday, January 14, 2000 9:02 AM To: wwebb () adni net; firewall-wizards () nfr net Subject: Re: Blocking ICMP with ipchains -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 That is kind of the opposite way to look at it... Block ALL ICMP and then allow: echo reply source quench destination unreachable (and time exceeded if you use traceroute a lot) This just let's a response come back when you ping a host, lets routers tell you you are sending too much traffic and that your destination is unreachable, and the Time Exceeded I left open to get responses when doing a traceroute. Carric Dooley Network Security Consultant "A little inaccuracy sometimes saves a ton of explanation. " - - H. H. Munro (Saki) (1870-1916) - ----- Original Message ----- From: <wwebb () adni net> To: <firewall-wizards () nfr net> Sent: Tuesday, January 11, 2000 7:18 PM Subject: Blocking ICMP with ipchains
I've heard that it is not wise to block all ICMP operations. Such being the case, which of these ICMP operations are safe to block without causing serious problems: echo-reply (pong) destination-unreachable network-unreachable host-unreachable protocol-unreachable port-unreachable fragmentation-needed source-route-failed network-unknown host-unknown network-prohibited host-prohibited TOS-network-unreachable TOS-host-unreachable communication-prohibited host-precedence-violation precedence-cutoff source-quench redirect network-redirect host-redirect TOS-network-redirect TOS-host-redirect echo-request (ping) router-advertisement router-solicitation time-exceeded (ttl-exceeded) ttl-zero-during-transit ttl-zero-during-reassembly parameter-problem ip-header-bad required-option-missing timestamp-request timestamp-reply address-mask-request address-mask-reply Thanks for any assistance.
-----BEGIN PGP SIGNATURE----- Version: PGPfreeware 6.5.1 for non-commercial use <http://www.pgp.com> iQA/AwUBOH9WheuEoPqp8SMeEQJO2QCgj7yC219XFbuUBGuWbQp1E7hX8ywAoMsW UzFROSC1kouTn7ca8+wHQnCH =BU8q -----END PGP SIGNATURE-----
Current thread:
- Blocking ICMP with ipchains wwebb (Jan 13)
- Re: Blocking ICMP with ipchains Mikael Olsson (Jan 15)
- Re: Blocking ICMP with ipchains Carric Dooley (Jan 16)
- <Possible follow-ups>
- RE: Blocking ICMP with ipchains peter . schawacker (Jan 16)
- RE: Blocking ICMP with ipchains Ryan Russell (Jan 17)
- Re: Blocking ICMP with ipchains Steven M. Bellovin (Jan 17)
- RE: Blocking ICMP with ipchains Richard . Smyth (Jan 17)
- RE: Blocking ICMP with ipchains Staggs, Michael (Jan 18)