Firewall Wizards mailing list archives
Re: How automate firewall tests
From: "Isaac Van Name" <ivanname () southerlandsleep com>
Date: Mon, 21 Aug 2006 08:37:00 -0500
For starters, I do have to agree that allowing ICMP is a mistake on a "good" firewall... ICMP is the best way to determine the internal structure of a private network. I'm sure I'm not mentioning other reasons why allowing ICMP is bad, but one should be enough for that point; I'll let others elaborate if needed. Also, I was reading up on PMTUD and, from what I can see, all it does is aim to avoid fragmentation by plotting the shortest path from one point to another, thus preventing the packet from degrading. However, this makes me raise two questions, the second of which I am more sure about than the first: (1) Isn't PMTUD something that can be rendered unneeded by using port forwarding and static routes for traffic destined for each collision domain? I mean, yeah, it probably means more work for the person administering the network, but is it not possible to just use some common sense in creating the routing table? (2) If PMTUD is such a big concern as to make someone wish to allow ICMP, then why not just block certain types of ICMP packets using an access-list? Isaac Van Name -----Original Message----- From: firewall-wizards-bounces () listserv icsalabs com [mailto:firewall-wizards-bounces () listserv icsalabs com] On Behalf Of Patrick M. Hausen Sent: Monday, August 21, 2006 3:11 AM To: Firewall Wizards Security Mailing List Subject: Re: [fw-wiz] How automate firewall tests Hi, all! On Fri, Aug 18, 2006 at 10:26:53AM -0700, Shahin Ansari wrote:
The doco above says no good firewall should allowe ICMP, ...
Then this document is plainly wrong, IMHO. Which one were you referring to? Blocking ICMP completely breaks PMTUD. Which leads to all sorts of "funny" breakage from the end users point of view. Regards, Patrick -- punkt.de GmbH Internet - Dienstleistungen - Beratung Vorholzstr. 25 Tel. 0721 9109 -0 Fax: -100 76137 Karlsruhe http://punkt.de _______________________________________________ firewall-wizards mailing list firewall-wizards () listserv icsalabs com https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards _______________________________________________ firewall-wizards mailing list firewall-wizards () listserv icsalabs com https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- Re: How automate firewall tests, (continued)
- Re: How automate firewall tests Strabla Ruggero (Aug 20)
- Re: How automate firewall tests Shahin Ansari (Aug 20)
- Re: How automate firewall tests Patrick M. Hausen (Aug 21)
- Re: How automate firewall tests Paul D. Robertson (Aug 21)
- Re: How automate firewall tests Patrick M. Hausen (Aug 21)
- Re: How automate firewall tests Paul D. Robertson (Aug 21)
- Re: How automate firewall tests Patrick M. Hausen (Aug 21)
- Re: How automate firewall tests Paul D. Robertson (Aug 21)
- Re: How automate firewall tests Oliver Humpage (Aug 21)
- Re: How automate firewall tests Marcus J. Ranum (Aug 21)
- Re: How automate firewall tests Isaac Van Name (Aug 21)
- Re: How automate firewall tests Shahin Ansari (Aug 20)
- Re: How automate firewall tests Avishai Wool (Aug 22)
- Re: How automate firewall tests Bill Royds (Aug 21)
- Re: How automate firewall tests Chuck Swiger (Aug 21)
- Re: How automate firewall tests Bill Royds (Aug 22)
- Re: How automate firewall tests ArkanoiD (Aug 22)