Mikael Olsson wrote:
>
> I thought that my firewall was protecting me?
> -----------------------------------------------
>
> Surprise. Many (not all) firewall vendors claim
> that most ICMP error messages are harmless, such
> as Host Unreachable, Time Exceeded, etc, and pass
> them through with little or no inspection.
> (I think all agree that ICMP Redirects are very
> dangerous though.)
> Especially, outbound ones are considered really
> harmless. Too bad the firewalking problem _is_
> outbound ICMP messages.
A proxy-based firewall will have IP forwarding off, so it shouldn't pass
such packets. A decent SPF firewall should match ICMP errors against
existing session entries to determine whether the ICMP packet should be
allowed through. If the SPF firewall allows incoming unsolicited packets
it should have the option of blocking resulting ICMP errors, or spoofing
up new ones with sensitive information replaced. A firewall which
actually allows firewalking is arguably a contradiction in terms.
> I don't have a comprehensive list of which vendor
> does what.
Do you have a non-comprehensive list?
regards
gram
--
Dr Graham Wheeler E-mail: [EMAIL PROTECTED]
Director, Research and Development WWW: http://www.cequrux.com
CEQURUX Technologies Phone: +27(21)423-6065
Firewalls/VPN Specialists Fax: +27(21)424-3656
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
