On 25/04/07, Joachim Schipper <[EMAIL PROTECTED]> wrote:
On Wed, Apr 25, 2007 at 10:40:45PM +0200, Timo Schoeler wrote:
> On Wed, 25 Apr 2007 20:19:42 +0000 (UTC)
> Tobias Weingartner <[EMAIL PROTECTED]> wrote:
>
> > Chad M Stewart wrote:
> > > On Apr 25, 2007, at 11:05 AM, Allen Theobald wrote:
> > > >
> > > > pass in inet proto icmp all icmp-type $icmp_types keep state
> > >
> > > This can be used as a covert communication channel. Allowing
> > > internal IPs to send/receive ping is bad.
> >
> > Bull. Not allowing ICMP is just as bad. Worse actually, as you
> > are violating RFCs. Quit spreading this FUD.
>
> hi,
>
> actually, me thinks the same about allowing/denying ICMP as you,
> tobias. however, we recently had a CCIE/NSA certified blahblah guy in
> our company, tuning our, err, Cizcoooeee equipment.
>
> guess what he did -- he violated 'the RFCs'.
>
> unfortunately, i wasn't able to find them on the net. do you have them
> handy? i'm very curious about that :)
In general, though, it will almost always be possible to get data in/out
of the network. IP-over-DNS comes to mind. If this particular vector is
used by a widely deployed worm, it might be worth it; but otherwise,
just ignore it.
Do you intend to ask where 'the RFCs' are? (If so, www.ietf.org is a
good choice.) Or in what RFC this particular requirement is? (No real
idea...)
I didn't expect it to come that easily, but google was helpful here:
RFC2979 has this:
3.1.1. Path MTU Discovery and ICMP
ICMP messages are commonly blocked at firewalls because of a
perception that they are a source of security vulnerabilities. This
often creates "black holes" for Path MTU Discovery [3], causing
legitimate application traffic to be delayed or completely blocked
when talking to systems connected via links with small MTUs.
By the transparency rule, a packet-filtering router acting as a
firewall which permits outgoing IP packets with the Don't Fragment
(DF) bit set MUST NOT block incoming ICMP Destination Unreachable /
Fragmentation Needed errors sent in response to the outbound packets
from reaching hosts inside the firewall, as this would break the
standards-compliant usage of Path MTU discovery by hosts generating
legitimate traffic.
On the other hand, it's proper (albeit unfriendly) to block ICMP Echo
and Echo Reply messages, since these form a different use of the
network, or to block ICMP Redirect messages entirely, or to block
ICMP DU/FN messages which were not sent in response to legitimate
outbound traffic.
[3] Mogul, J. and S. Deering, "Path MTU discovery", RFC 1191,
November 1990.
Joachim
--
TFMotD: kadmin (8) - Kerberos administration utility
--
viq
