Gentlemen
Most of people say here firewalls should do ICMP blocking.
I would call out blocking ICMP by type field. There is
no reason to pass through some ICMP messages while others
are necessary.
I suggest: If you trust your protected network let all ICMP
types out. From untrustable network allow ICMP types (to
come in) 0 (Echo Reply), 3 (Destination Unreachable), 11
(Time Exceeded) and 13 (Parameter Problem).
Type fields can be found from:
http://www.isi.edu/in-notes/iana/assignments/icmp-parameters
> Btw, is there any harm if I buy a firewall that allows all
> the ICMP packets to go through into and out of the private
> network.
Sujeet Nayak asked that. I would say yes. There is for example
types 4 (Source Quench) and 10 (Router Selection) which can
be harm full in hands of talented ones.
Regards,
Sami
===
(__) Sami Kerola
(oo) RTT Ohjelmistopankki Oy
/-------\/ Rantakatu 8 phone +358 8 2104210
/ | || 92101 RAAHE mobile +358 50 3438138
* ||----|| FINLAND fax +358 8 2104201
^^ ^^ http://www.ohjelmistopankki.fi/
My PGP key http://www.pgp.net/wwwkeys.html
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
