On Sun, Dec 31, 2000 at 01:45:25PM -0800, Buddy Venne wrote:
> All -
> Is there something wrong with blocking all inbound icmp?
Yes.
If you block ICMP type "UNREACHABLE" subtype "WOULD_FRAGMENT"
then MTU discovery is going to break and various applications are going
to break or behave unpredicably (various timeouts and failures that are
network condition and server address dependent). I've seen it happen
first hand, and it's a royal pain. Seemingly random things are broken
with no explanation and it's really tough to debug and diagnose. Basically
you end up deciding that its an MTU discovery failure when all other
explanations are exhausted. Then you start searching for who, in the
routing path, is blocking that ICMP type. When you discover it and fix
it, you're mysterious problems mysteriously disappear.
> On my inbound accesslist I allow icmp to the perimeter router "outside"
> interfaces, and block icmp to any other address. Am I doing something
> outside of "best practices"?? Note I am not referring to my firewall, this
> is about the perimeter router configuration.
> I am wondering what others do.
I block all ICMP except UNREACHABLE WOULD_FRAGMENT. Seems to work
with a minimal number of random acts of terrorism.
> Bud Venne
> WAN/LAN Specialist
> Onyx Acceptance
> (949) 465-3775
>
>
> -----Original Message Header-----
> From: Chris Keladis [mailto:[EMAIL PROTECTED]]
> Sent: Saturday, December 30, 2000 3:29 PM
> To: Enno Rey
> Cc: Greg Skafte; Daniel Crichton; [EMAIL PROTECTED]
> Subject: Re: List of "safe" ICMP types and codes
>
> -
> [To unsubscribe, send mail to [EMAIL PROTECTED] with
> "unsubscribe firewalls" in the body of the message.]
Mike
--
Michael H. Warfield | (770) 985-6132 | [EMAIL PROTECTED]
(The Mad Wizard) | (678) 463-0932 | http://www.wittsend.com/mhw/
NIC whois: MHW9 | An optimist believes we live in the best of all
PGP Key: 0xDF1DD471 | possible worlds. A pessimist is sure of it!
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
