G'day,
I think we basically agree here. I'm working from the point of view of
someone that would rather block all ICMP all the time. That means that we
only need to worry about type 3. All the rest are basically optional / nice.
I normally allow, as I said, all the inbound type 3's because they can't be
used for mapping or attacks (unless there is a general ICMP problem with the
host stack in which case it will probably exist for all of dest_unreach). It
can be used for tunneling, but so can a million other things.
I often do NOT allow any outbound unreachables since these _can_ be used for
mapping. Not sending outbound unreachables is impolite. I can live with
that, in many cases. The trouble is that you need to allow outbound
packet-too-big for PMTU-D to work if you have public servers. If you don't
then you're laughing, AFAIK.
If people want to get really paranoid then I think that we can pare down to
host-unreach and port-unreach for inbound and no ICMP at all outbound,
provided that you don't have public servers that clients might want to use
PMTU-D on. I hear that some servers initiate PMTU-D from their end, however
- which would screw things up. Can anyone confirm / deny?
Cheers,
--
Ben Nagy
Marconi Services
Network Integration Specialist
Mb: +61 414 411 520 PGP Key ID: 0x1A86E304
> -----Original Message-----
> From: Bernd Eckenfels [mailto:[EMAIL PROTECTED]]
> Sent: Tuesday, 2 January 2001 2:57
> To: [EMAIL PROTECTED]
> Subject: Re: List of "safe" ICMP types and codes
>
>
> On Tue, Jan 02, 2001 at 09:28:35AM +1030, Ben Nagy wrote:
> > Inbound - all unreachables (type 3)
> > Outbound - packet-too-big (3/4, from memory?)
>
> Both Types are in and outbound, especially the second one.
> You do not all
> need all types of Type 3, all the net subtypes are ignored
> most of the time,
> anyway:
[giant snip]
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
