Re: ICMP (was: daily internet traffic report)

[James Edwards <hackerwacker () cybermesa com>]

On Sun, 2004-10-17 at 15:46, Cedric Blancher wrote:
> Le dim 17/10/2004 à 22:21, James Edwards a écrit :
> > So, blocking ***all*** ICMP ***types*** is bad but you can block some
> > ***types*** without getting into trouble. Till you understand that all
> > the types do in relation to networking I would leave the alone.
>
> Nowadays, using a decent stateful firewall allows one to get rid of ICMP
> filtering by associating ICMP errors to existing connections. As an
> example, when filtering using Netfilter, ICMP errors triggered by known
> IP connections are recognized as such (i.e. RELATED state) and thus can
> be filtered in a different way unsollicited ones (i.e. INVALID state)
> are.
>
> This kind of feature allows one not to block valid ICMP stuff and keep
> away from direct ICMP solicitations you can filter the way you want.
>
> My 0.02€...


That is great till you want to run a server behind that firewall.
The bigger picture, to me, is you gain little in security by blocking ICMP.

j

Attachment: signature.asc
Description: This is a digitally signed message part