Firewall Wizards mailing list archives
Re: ICMP blocking on PIX .4.4.1
From: jseymour () LinxNet com (Jim Seymour)
Date: Sat, 29 Apr 2000 08:18:51 -0400 (EDT)
majordomo <lists () indifference org> wrote:
[I had written, in part:]
Allowing ICMP (or any connection-less protocol, such as UDP) *through* the firewall is another issue entirely. Connection-less protocols are not safe. Cannot be made safe. Other than perhaps allowing syslog from the router to a syslog host, specifically, I don't see any particular reason to allow any UDP through a firewall.
[Comments by Steve Bellovin noted.]
Doesn't DNS use udp? As for the icmp issue, I agree with you.
Yes. (And TCP for zone transfers. But that is a different discussion.) But it's not advisable to allow outside queries of ones internal DNS. Regards, Jim -- Jim Seymour | PGP Public Key available at: jseymour () LinxNet com | http://www.cam.ac.uk.pgp.net/pgpnet/wwwkeys.html http://home.msen.com/~jimsun | http://www.trustcenter.de/cgi-bin/SearchCert.cgi
Current thread:
- Re: ICMP blocking on PIX .4.4.1 Jim Seymour (May 04)
- <Possible follow-ups>
- Re: ICMP blocking on PIX .4.4.1 User nawk (May 04)
- Re: ICMP blocking on PIX .4.4.1 Lorens Kockum (May 12)
- Re: ICMP blocking on PIX .4.4.1 dominik . ratajski (May 05)
- RE: ICMP blocking on PIX .4.4.1 GibsonB (May 05)
- RE: ICMP blocking on PIX .4.4.1 R. DuFresne (May 12)
- RE: ICMP blocking on PIX .4.4.1 Henry B. Tindall, Jr. (May 12)
- Stefan Savage : Hacking the TCP stack R. DuFresne (May 12)
- Re: Stefan Savage : Hacking the TCP stack Frederick N. Chase (May 17)
- Re: ICMP blocking on PIX .4.4.1 Lorens Kockum (May 12)
- RE: ICMP blocking on PIX .4.4.1 GibsonB (May 12)