Agree 150%!
*Please* if your firewall is protecting any kind of services available to
the Internet, *do not* filter ICMP "host unreachable / fragmentation need
but DF set"!!!!!!
There is more and more public (web) servers which have been setup to use
MTU discovery, most of the time due to some default behavior of there OS or
install procedure.
Their first reply packet to any client will be a full size packet w/ the DF
bit set. If *ANY* link between the client and it has an MTU smaller or is
using an encapsulating protocol which generate a size-overhead (like IPsec
in tunnel more for example...), the connectivity is broken if your server
cannot receive the ICMP host unreachable / fragmentation need but DF set!!!
And IPsec is becoming more and more present...
I have seen some wellknown web site setup like this.
It's a long task to explain them what is going on and why *their* site are
not reachable from some part of *our* network, and why it is broken on
*their* side...
Funny to see that the most common correction chosen by these site was to
disable MTU discovery... And thus unset the DF bit... :-)
Jean
At 09:39 AM 8/31/99 , someone using Michael H. Warfield's login wrote:
>Sweeney, Patrick enscribed thusly:
>
> > There are two dangers to allowing ICMP through the firewall that spring
> > immediately to mind.
>
> > The first is that you could subject yourself to Denial of Service (DoS)
> > attacks like the ping of death.
>
> Blocking ALL ICMP, including "ICMP unreachable/would fragment",
>may break MTU discovery and potentially create it's own brand of DoS or
>severly degraded service.
>
> > The second is you could give a cracker an avenue to discover topological
> > about your network. I don't consider that too much of a threat in my
> > environment since I make that information easily available internally
> anyway
> > but you may feel differently in your environment.
>
> > I believe Axent Raptor firewall blocks ICMP.
>
> > -----Original Message-----
> > From: Sujeet Nayak [mailto:[EMAIL PROTECTED]]
> > Sent: Tuesday, August 31, 1999 8:31 AM
> > To: [EMAIL PROTECTED]
> > Subject: ICMP filtering
>
>
> > Hi,
> > I see that most of the firewalls pass ICMP messages without filtering.
> Some
> > of them offer filtering option only for the PING message. Does anybody
> know
> > the firewalls that deny ICMP messages? Btw, is there any harm if I buy a
> > firewall that allows all the ICMP packets to go through into and out of
> the
> > private network.
>
>
> > Thanks
>
> > Sujeet
>
>
>--
> Michael H. Warfield | (770) 985-6132 | [EMAIL PROTECTED]
> (The Mad Wizard) | (770) 925-8248 | http://www.wittsend.com/mhw/
> NIC whois: MHW9 | An optimist believes we live in the best of all
> PGP Key: 0xDF1DD471 | possible worlds. A pessimist is sure of it!
>
>-
>[To unsubscribe, send mail to [EMAIL PROTECTED] with
>"unsubscribe firewalls" in the body of the message.]
- jean -
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
