Firewall Wizards mailing list archives

Re: How automate firewall tests

From: "Isaac Van Name" <ivanname () southerlandsleep com>
Date: Mon, 21 Aug 2006 08:37:00 -0500

For starters, I do have to agree that allowing ICMP is a mistake on a "good"
firewall... ICMP is the best way to determine the internal structure of a
private network.  I'm sure I'm not mentioning other reasons why allowing
ICMP is bad, but one should be enough for that point; I'll let others
elaborate if needed.

Also, I was reading up on PMTUD and, from what I can see, all it does is aim
to avoid fragmentation by plotting the shortest path from one point to
another, thus preventing the packet from degrading.  However, this makes me
raise two questions, the second of which I am more sure about than the
first:  (1)  Isn't PMTUD something that can be rendered unneeded by using
port forwarding and static routes for traffic destined for each collision
domain?  I mean, yeah, it probably means more work for the person
administering the network, but is it not possible to just use some common
sense in creating the routing table?  (2)  If PMTUD is such a big concern as
to make someone wish to allow ICMP, then why not just block certain types of
ICMP packets using an access-list?


Isaac Van Name

-----Original Message-----
From: firewall-wizards-bounces () listserv icsalabs com
[mailto:firewall-wizards-bounces () listserv icsalabs com] On Behalf Of Patrick
M. Hausen
Sent: Monday, August 21, 2006 3:11 AM
To: Firewall Wizards Security Mailing List
Subject: Re: [fw-wiz] How automate firewall tests

Hi, all!

On Fri, Aug 18, 2006 at 10:26:53AM -0700, Shahin Ansari wrote:

The doco above says no good firewall should allowe ICMP, ...


Then this document is plainly wrong, IMHO. Which one were you
referring to?

Blocking ICMP completely breaks PMTUD. Which leads to all
sorts of "funny" breakage from the end users point of view.

Regards,
Patrick
-- 
punkt.de GmbH         Internet - Dienstleistungen - Beratung
Vorholzstr. 25        Tel. 0721 9109 -0 Fax: -100
76137 Karlsruhe       http://punkt.de
_______________________________________________
firewall-wizards mailing list
firewall-wizards () listserv icsalabs com
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards


_______________________________________________
firewall-wizards mailing list
firewall-wizards () listserv icsalabs com
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards

Current thread:

Re: How automate firewall tests, (continued)
- - Re: How automate firewall tests Strabla Ruggero (Aug 20)
  - Re: How automate firewall tests Shahin Ansari (Aug 20)
    - Re: How automate firewall tests Patrick M. Hausen (Aug 21)
    - Re: How automate firewall tests Paul D. Robertson (Aug 21)
    - Re: How automate firewall tests Patrick M. Hausen (Aug 21)
    - Re: How automate firewall tests Paul D. Robertson (Aug 21)
    - Re: How automate firewall tests Patrick M. Hausen (Aug 21)
    - Re: How automate firewall tests Paul D. Robertson (Aug 21)
    - Re: How automate firewall tests Oliver Humpage (Aug 21)
    - Re: How automate firewall tests Marcus J. Ranum (Aug 21)
    - Re: How automate firewall tests Isaac Van Name (Aug 21)
- Re: How automate firewall tests Jean-Denis Gorin (Aug 18)
  - Re: How automate firewall tests Shahin Ansari (Aug 20)
  - Re: How automate firewall tests Avishai Wool (Aug 22)
- Re: How automate firewall tests Jean-Denis Gorin (Aug 21)
- Re: How automate firewall tests Jean-Denis Gorin (Aug 21)
  - Re: How automate firewall tests Bill Royds (Aug 21)
    - Re: How automate firewall tests Chuck Swiger (Aug 21)
    - Re: How automate firewall tests Bill Royds (Aug 22)
- Re: How automate firewall tests Jean-Denis Gorin (Aug 21)
  - Re: How automate firewall tests ArkanoiD (Aug 22)

(Thread continues...)