this could lead to a very long discussion . . . . . but you can safely block ALL ICMP
in most situations. there are some types you would NOT deny, but all depends on your
own setup & needs. ie: if you want to be able to check your network from outside,
you'll need ECHO_REQUEST and ECHO_REPLY. if you want to be able to traceroute to your
internal network, you should not block TIME_EXCEEDED. if you're using path MTU
discovery, you can't block type 3, code 4 (fragmentation needed but DF bit set), and
so on. there's not such a thing as a recipe . . . . you should know what each message
is good for, which one you need on your network, and then decide what you are going to
block/permit.
dario
At 11:12 AM 6/23/00 -0400, Damian Gerow wrote:
> >From my understanding, no normal ICMP packet is above the standard Ethernet
>MTU. Granted, if it's going over a slip connection it might. But it would
>be a good idea to deny timestamp_request and addressmask_request from
>untrusted hosts.
>
>-----Original Message-----
>From: Sorin Florea [mailto:[EMAIL PROTECTED]]
>Sent: Friday, June 23, 2000 9:31 AM
>To: [EMAIL PROTECTED]
>Cc: [EMAIL PROTECTED]
>Subject: Re: ICMP fragments.
>
>
>
> I should have mentioned that I work for an ISP and I can't stop
>echo requests.
> If someone sends a ICMP pachet large enough I belive it will be
>fragmented. While tcpdump-ing on one of my router's interface I sow
>something like that but it stoped fast so I couldn't get "a closer look".
>I supose it was the ending of a flood.
>
>-------------------------
> Sorin Florea
> e-mail: [EMAIL PROTECTED]
> Romania Data Systems
> Constanta
>-------------------------
>
>On Fri, 23 Jun 2000 [EMAIL PROTECTED] wrote:
>
> > On 23 Jun, Sorin Florea wrote:
> > >
> > > Is there any reason to let ICMP fragments pass trough my firewall?
> > > I think ipchains with -f option will kill them but only begining
> > > with the second.
> > > I'm also blockin' ICMP protocol unreachable and port unreachable.
> > > What other ICMP packets can I safely block?
> > > Thanks.
> > >
> > > -------------------------
> > > Sorin Florea
> > > e-mail: [EMAIL PROTECTED]
> > > Romania Data Systems
> > > Constanta
> > > -------------------------
> > >
> > >
> > >
> > > -
> > > [To unsubscribe, send mail to [EMAIL PROTECTED] with
> > > "unsubscribe firewalls" in the body of the message.]
> > >
> >
> > ..... ICMP "fragments"? I wasn't aware they existed...
> >
> > You can block echo requests, timestamp requests, and address-mask
> > requests. In fact, you _should_ block those.
> >
>-
>[To unsubscribe, send mail to [EMAIL PROTECTED] with
>"unsubscribe firewalls" in the body of the message.]
Dario N. Ciccarone
Internship SE
Cisco Systems
Argentina, Paraguay, Uruguay y Bolivia
Ing. Enrique Butty 240 Piso 17
C1001ABF, Buenos Aires , Argentina
Phone/Vmail: 54-11-4341-0203
Fax: 54-11-4341-0149
mailto:[EMAIL PROTECTED]
Pager: 54 -11-4348-9000 PIN:1268307 or mailto:[EMAIL PROTECTED]
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
