Hi,
A client asked me about their PIX 4.2.2 firewall and the ways to filter
packets based on the ICMP *codes*. Not on the ICMP message types which PIX
supports (see the table below from the docs) but on the codes that further
divide the type. For instance, they would like to allow path MTU discovery
(Type 3, code 4) but deny traceroutes (again type 3 but code 3).
The official doc doesn't even mention conduit syntax for ICMP and the
online help as well as the recently published book "Cisco Security
Architectures" describe the syntax as:
conduit deny|permit icmp <g_ip> <g_mask> <f_ip> <f_mask> [<icmp_type>]
which suggest a filtering on the type field only. Any feedback is
appreciated.
Table 5-1: ICMP Type Literals ICMP Type Literal
0 echo-reply
3 unreachable
4 source-quench
5 redirect
6 alternate-address
8 echo
9 router-advertisement
10 router-solicitation
11 time-exceeded
12 parameter-problem
13 timestamp-reply
14 timestamp-request
15 information-request
16 information-reply
17 mask-request
18 mask-reply
31 conversion-error
32 mobile-redirect
Thanks,
Razvan
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
