> -----Original Message-----
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED]]
> Sent: Monday, 7 August 2000 11:35 PM
> To: Ronneil Camara; [EMAIL PROTECTED]
> Subject: Re: So which ICMP...
>
>
>
> Ronneil,
>
[snip]
> You will
> only be able to allow specific types of ICMP traffic if you have an
> application layer proxy that can look at the packets and
> discard the types
> you do not need. On a packet filtering firewall if you allow
> ICMP traffic
> through your firewall then you are allowing all ICMP traffic
That's not usually true. All of the "simple" filters I've seen have been
able to selectively filter ICMP. A dumb packet filter has no theoretical
problem with this because it's all in the ICMP header (and layer 4 headers
are the domain of packet filters).
[snip]
> Check
> out "TCP/IP Illustrated, Volume 1" to find out just about
> everything you
> need to know about ICMP and TCP/IP.
I agree - Stevens book is a fantastic source. If you've slugged most of the
way through that then you can just refresh with the RFCs.
>
> Regards,
> Jeffery Gieser
Personally, I allow packet-too-big, the unreachable family and (for low
threat sites) echo-reply and ttl-exceeded (for traceroute and ping). YMMV.
Cheers,
--
Ben Nagy
Network Consultant, Volante Solutions
PGP Key ID: 0x1A86E304 Mobile: +61 414 411 520
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
