nanog mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Firewall stateful handling of ICMP packets

From: Owen DeLong <owen () delong com>
Date: Wed, 03 Dec 2003 15:57:37 -0800
Actually, any halfway decent firewall allows you to permit certain ICMP
type codes while rejecting others.  Not a perfect solution, but, for the
most part, there aren't a lot of fragmentation-needed exploits running
around.  (In fact, I'm hard pressed to imagine how a Frag needed packet
for an invalid session could do much of anything).

Owen
--On Wednesday, December 3, 2003 5:12 PM -0500 Sean Donelan <sean () donelan com> wrote: 




You could drop ICMP packets at your firewall if the firewalls properly
implemented stateful inspection of ICMP packets.  The problem is few
firewalls include ICMP responses in their statefull analysis.  So you are
left with two bad choices, permit "all" ICMP packets or deny "all" ICMP
packets.







--
If it wasn't crypto-signed, it probably didn't come from me.

Attachment: _bin
Description:

Previous By Date Next
Previous By Thread Next

Current thread: