I have ICMP turned off I suffer from nothing I allow my self tracroute
in/out via a ACL and rule to another network that I trust for problem
solving. I'm not real sure what or why you are referring to MTU in this case
since the most I ever configured MTU was on the interface level only. for
either the gateway nic/router interfaces/ or individual servers. with that
said there are only a few instances that you may wish to *allow* ICMP from a
non-trusted host and that would be for propagation of DNS. I have noticed
that *some* of the worlds named servers ping a host, this I'm assuming is
for routing reasons and like I said its only a few.
For us...
I deny ICMP and RIP, there is no need for the excessive inbound traffic and
internally machines are allowed to ping each other via several internal
networks. my suggestion is again for trouble shooting reasons only. find
your self a trusted destination whether it be a partner, a foreign
enterprise office or even a router on a backbone to do your trace routing
,to and for testing etc etc. or like Nancy suggested utilize one host for
trouble shooting and use a temp rule to protect it when it is not used. just
about every portscan and I use this statement loosely can be defeated by
this simple implementation. I have not seen one yet that relies on ICMP get
by this. there are ways around this as we all know but this defeats a large
portion of them..
Just my 50 cents worth :)
Regards
Bill
Chief Security Officer
CyberBase7 Security Services METRO-SOC
Email:[EMAIL PROTECTED]
Web:http://www.cyberbase7.com
Phone:972.782.6595 ext 20
> -----Original Message-----
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED]]On Behalf Of Nancy Davis
> Sent: Monday, January 01, 2001 10:25 AM
> To: Olivier Kaloudoff
> Cc: [EMAIL PROTECTED]; [EMAIL PROTECTED];
> [EMAIL PROTECTED]; Nancy Davis
> Subject: Re: List of "safe" ICMP types and codes
>
>
> > ]> Is there something wrong with blocking all inbound icmp?
> > ]
> > ]Yes, your network connectivity will greatly suffer.
> Performance Problems
> > ]from failed Path MTU discovery and inability to debug
> connectivity problems.
>
> I disagree. You can open a single host for network
> checking with ping and traceroute, but you certainly
> do not need to let your entire network be vulnerable
> to ICMP probing.
>
> Nancy Davis
> >
> > here is an url for a description of such troubles;
> > http://www.worldgate.ca/~marcs/mtu/
> >
> > Olivier
> >
> > -
> > [To unsubscribe, send mail to [EMAIL PROTECTED] with
> > "unsubscribe firewalls" in the body of the message.]
> >
>
> -
> [To unsubscribe, send mail to [EMAIL PROTECTED] with
> "unsubscribe firewalls" in the body of the message.]
>
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
