Firewall Wizards mailing list archives

Re: ICMP blocking on PIX .4.4.1

From: jseymour () LinxNet com (Jim Seymour)
Date: Sat, 29 Apr 2000 08:18:51 -0400 (EDT)

majordomo <lists () indifference org> wrote:

[I had written, in part:]

Allowing ICMP (or any connection-less protocol, such as UDP) *through*
the firewall is another issue entirely.  Connection-less protocols are
not safe.  Cannot be made safe.  Other than perhaps allowing syslog
from the router to a syslog host, specifically, I don't see any
particular reason to allow any UDP through a firewall.

[Comments by Steve Bellovin noted.]


Doesn't DNS use udp? As for the icmp issue, I agree with you.


Yes.  (And TCP for zone transfers.  But that is a different discussion.)
But it's not advisable to allow outside queries of ones internal DNS.


Regards,
Jim
-- 
Jim Seymour                  | PGP Public Key available at:
jseymour () LinxNet com         | http://www.cam.ac.uk.pgp.net/pgpnet/wwwkeys.html
http://home.msen.com/~jimsun | http://www.trustcenter.de/cgi-bin/SearchCert.cgi

Current thread:

Re: ICMP blocking on PIX .4.4.1 Jim Seymour (May 04)
- <Possible follow-ups>
- Re: ICMP blocking on PIX .4.4.1 User nawk (May 04)
  - Re: ICMP blocking on PIX .4.4.1 Lorens Kockum (May 12)
- Re: ICMP blocking on PIX .4.4.1 dominik . ratajski (May 05)
- RE: ICMP blocking on PIX .4.4.1 GibsonB (May 05)
  - RE: ICMP blocking on PIX .4.4.1 R. DuFresne (May 12)
  - RE: ICMP blocking on PIX .4.4.1 Henry B. Tindall, Jr. (May 12)
    - Stefan Savage : Hacking the TCP stack R. DuFresne (May 12)
    - Re: Stefan Savage : Hacking the TCP stack Frederick N. Chase (May 17)
  - Re: ICMP blocking on PIX .4.4.1 Lorens Kockum (May 12)
- RE: ICMP blocking on PIX .4.4.1 GibsonB (May 12)

(Thread continues...)