RE: ICMP blocking on PIX .4.4.1

[Jeff B Boles <jboles () libfungrp com>]

Along these lines, here's a cisco access list reference for deny/permit ICMP
by message type (i.e. echo, echo-reply, host-unknown, etc.).
 
http://www.cisco.com/univercd/cc/td/doc/product/software/ios112/112cg_cr/5rb
ook/5rip.htm#xtocid232732
<http://www.cisco.com/univercd/cc/td/doc/product/software/ios112/112cg_cr/5r
book/5rip.htm#xtocid232732> 

-----Original Message-----
From: GibsonB () gruntal com [mailto:GibsonB () gruntal com]
Sent: Friday, May 05, 2000 12:24 PM
To: nawk () real-secure com; dufresne () sysinfo com
Cc: firewall-wizards () nfr net; phred () pacificwest com; jseymour () LinxNet com
Subject: RE: [fw-wiz] ICMP blocking on PIX .4.4.1



I don't agree with this. ICMP is an invaluable tool for diagnostics.  If you
shut it down then you are limiting your ability to troubleshoot problems.  

What you want to do is allow ICMP to go out but not to come in.  Ideally
what you want to do is allow certain types of ICMP out(ie Echo requests) and
only certain types of ICMP to come in(ie Echo Reply, Time exceeded,
unreachable).  This is not easily done in a router.  

Actually blocking connectionless protocols in general is not easy thing to
do in a router.