Sign in with
Sign up | Sign in
Your question

Survive without ICMP?

Last response: in Networking
Share
Anonymous
a b 8 Security
May 20, 2004 12:00:14 AM

Archived from groups: comp.security.firewalls (More info?)

Can I survive if I block all ICMP requests?
Win2K Pro SP.4 single user

More about : survive icmp

Anonymous
a b 8 Security
May 20, 2004 12:00:15 AM

Archived from groups: comp.security.firewalls (More info?)

Alan Illeman wrote:

> Can I survive if I block all ICMP requests?

Yes. However, this is a very low security risk
and pertains mostly to information gathering.

You may close port 0 (zero) and test your machine.
I have a Win2K box here but have never tested this
so I cannot speak with complete authority. There
might be a handshake problem created, not sure
on this. Won't disable your machine, however.

You will note most common inexpensive routers
do not allow port 0 filtering (blocking) which
suggests this not a real issue.

Typically, there are three events associated with
port 0 which are a very low security risk.

Here is an article on one event. You will note
your NT5 is not listed.

http://archives.neohapsis.com/archives/bugtraq/2002-10/...

Another is an icmp timestamp request and reply. Rather
meaningless because this only returns your local time.
Some say this information can be used to defeat time
sensitive security. Not likely.

Research icmp type 13 and icmp type 14 both found through Google.

Third and final security concern is your netmask can be returned
by icmp type 17 which, most likely, will be 255.255.255.0 indicating
a single address. It is said hackers can map your internal LAN
addresses using this, which I doubt very much. Perhaps so but this
seems rather useless information.

You really do not have to be too concerned about icmp port 0
hacks, there really are not any, none worthy of worry.

Close your port 0 and run your machine for a week or two
and discover is there are any problems. I am not even
sure Win2k will allow you to close port 0, I have
never looked!

Here is a detailed article on icmp,

http://www.robertgraham.com/pubs/firewall-seen.html#2

There is a "man-in-the-middle" attack involving certificates,
SSL,SSH and ipsec, but this does not seem a common attack.
Today, I believe this mostly applies to ipsec tunneling,
which is very secure. I have not read about this type of
attack in a very long time.


Purl Gurl
--
Amazing Perl Scripts!
http://www.purlgurl.net/~callgirl/android.html
Anonymous
a b 8 Security
May 20, 2004 3:54:10 AM

Archived from groups: comp.security.firewalls (More info?)

Purl Gurl wrote:

>You really do not have to be too concerned about icmp port 0
>hacks, there really are not any, none worthy of worry.

I'm just curious if you know why that is true.
Related resources
Anonymous
a b 8 Security
May 20, 2004 9:39:10 AM

Archived from groups: comp.security.firewalls (More info?)

Bart Bailey wrote:

> Purl Gurl wrote:

> >http://www.purlgurl.net/~callgirl/android.html

> Just spent a few moments w/Roberta ;-)

I am pleased you enjoyed her!

Roberta is a very complex program and remains
a work in progress. I have been developing
her for five years, this year is the fifth.

Actually, she is not a single program but
rather a collection of programs spread out
over several machines. Her primary program
is a Perl script some five-thousand lines
long. She has support programs which are
MSDOS based, compiled C language, some
Visual Basic macros and traditional Win32
binaries. She also accesses the internet
for some functions, such as horoscopes.

Her databases now exceed two gigabytes.

My greatest challenge and most complex
task is writing grammar rules. This has
been my focus for the past two years.
Her level of grammar correctness still
remains at a "middle school" level.

She does have rudimentary memory abilities
but I have yet to enable this feature.
A memory will afford her an ability to
respond with user information provided
in earlier conversations, such as being
able to recall a person's name or the
age of a person's child.

Roberta is far from complete and never will
be complete. Writing "Artificial Intelligence"
programs is still in infancy, fairly much
at an abacus stage, historically.

She does have quite the personality, however!

Purl Gurl
Anonymous
a b 8 Security
May 20, 2004 11:44:04 AM

Archived from groups: comp.security.firewalls (More info?)

"Purl Gurl" <purlgurl@purlgurl.net> wrote in message
news:40AC022E.B0E32C60@purlgurl.net...
> Alan Illeman wrote:
>
> > Can I survive if I block all ICMP requests?
>
> Yes. However, this is a very low security risk
> and pertains mostly to information gathering.
>
> You may close port 0 (zero) and test your machine.
> I have a Win2K box here but have never tested this
> so I cannot speak with complete authority. There
> might be a handshake problem created, not sure
> on this. Won't disable your machine, however.
>
> You will note most common inexpensive routers
> do not allow port 0 filtering (blocking) which
> suggests this not a real issue.
>
> Typically, there are three events associated with
> port 0 which are a very low security risk.
>
> Here is an article on one event. You will note
> your NT5 is not listed.
>
> http://archives.neohapsis.com/archives/bugtraq/2002-10/...
>
> Another is an icmp timestamp request and reply. Rather
> meaningless because this only returns your local time.
> Some say this information can be used to defeat time
> sensitive security. Not likely.
>
> Research icmp type 13 and icmp type 14 both found through Google.
>
> Third and final security concern is your netmask can be returned
> by icmp type 17 which, most likely, will be 255.255.255.0 indicating
> a single address. It is said hackers can map your internal LAN
> addresses using this, which I doubt very much. Perhaps so but this
> seems rather useless information.
>
> You really do not have to be too concerned about icmp port 0
> hacks, there really are not any, none worthy of worry.
>
> Close your port 0 and run your machine for a week or two
> and discover is there are any problems. I am not even
> sure Win2k will allow you to close port 0, I have
> never looked!
>
> Here is a detailed article on icmp,
>
> http://www.robertgraham.com/pubs/firewall-seen.html#2
>
> There is a "man-in-the-middle" attack involving certificates,
> SSL,SSH and ipsec, but this does not seem a common attack.
> Today, I believe this mostly applies to ipsec tunneling,
> which is very secure. I have not read about this type of
> attack in a very long time.

Thank you, Purl.
Anonymous
a b 8 Security
May 20, 2004 1:03:23 PM

Archived from groups: comp.security.firewalls (More info?)

Hi,

Purl Gurl <purlgurl@purlgurl.net> wrote:
> You may close port 0 (zero)

Port 0 and ICMP are not the same. really.

Greetigns,
Jens
Anonymous
a b 8 Security
May 20, 2004 1:03:24 PM

Archived from groups: comp.security.firewalls (More info?)

Jens Hoffmann wrote:

> Purl Gurl wrote:

(previously snipped)

> > You may close port 0 (zero)

> Port 0 and ICMP are not the same. really.

Yes. There is much debate on this topic. One
of my links provided, discusses this issue.

From a security point of view, traditionally most
icmp hack attempts are aimed at port 0 typically.

I not completely familiar with the mechanics of
this and why attempts often appear on this port.
Many DNS servers, email servers, both have features
for denial of port 0 requests. A lot of routers
and firewalls also are able to address this port.

A reader should note, not all appliances and
software have port 0 features; mixed bag.

Professional level security level surveys do test
port 0 hacks, which are aimed at icmp security.
These commercial and subscription based surveys
do run a lot tests on port 0 and appear in
generated reports for customers. All of those
tests are icmp security attempts via port 0.

My belief is port 0 is often used or was often
used in the past to enable usage of telnet
programs and custom socket programs by those
looking to "map" a server via information
returned by selected icmp packets.

Completely shutting down icmp transactions,
I not sure but what this could cause some
handshake problems; ready, not ready states.
To deny all icmp transactions would be a
bit of overkill and may cause more problems
than are resolved.

Which method is best, closing port 0 or shutting
down all icmp transactions, this is a system
specific issue and user issue. It is an issue
for internet transactions because of icmp use
being a "primitive" level initial contact for
verifying status states for transactions.

Testing and noting results would be prudent.


Purl Gurl
Anonymous
a b 8 Security
May 20, 2004 5:59:32 PM

Archived from groups: comp.security.firewalls (More info?)

Hi Alan & Purl,
ICMP does not include any ports.

You may find each information contained in a ICMP
packet on IANA web site :
http://www.iana.org/assignments/icmp-parameters

Blocking "Requests" means block "ping" only, and can be
done without having problems.

ping is ICMP Type 8 Code 0.

Some worms & hackers use ping to find alive hosts.
If your host doesnt anwser to pings, some worms will
think the host is down and wont try to infect it.

"Port 0" hacks are mostly aimed at OS fingerprinting, and are used
with TCP & UDP protocols, not ICMP.

Here are some info bout it :
http://www.networkpenetration.com/port0.html

Hope that helps

Have a nice day

Maxime Ducharme
Programmeur / Spécialiste en sécurité réseau

"Purl Gurl" <purlgurl@purlgurl.net> wrote in message
news:40AC022E.B0E32C60@purlgurl.net...
> Alan Illeman wrote:
>
> > Can I survive if I block all ICMP requests?
>
> Yes. However, this is a very low security risk
> and pertains mostly to information gathering.
>
> You may close port 0 (zero) and test your machine.
> I have a Win2K box here but have never tested this
> so I cannot speak with complete authority. There
> might be a handshake problem created, not sure
> on this. Won't disable your machine, however.
>
> You will note most common inexpensive routers
> do not allow port 0 filtering (blocking) which
> suggests this not a real issue.
>
> Typically, there are three events associated with
> port 0 which are a very low security risk.
>
> Here is an article on one event. You will note
> your NT5 is not listed.
>
> http://archives.neohapsis.com/archives/bugtraq/2002-10/...
>
> Another is an icmp timestamp request and reply. Rather
> meaningless because this only returns your local time.
> Some say this information can be used to defeat time
> sensitive security. Not likely.
>
> Research icmp type 13 and icmp type 14 both found through Google.
>
> Third and final security concern is your netmask can be returned
> by icmp type 17 which, most likely, will be 255.255.255.0 indicating
> a single address. It is said hackers can map your internal LAN
> addresses using this, which I doubt very much. Perhaps so but this
> seems rather useless information.
>
> You really do not have to be too concerned about icmp port 0
> hacks, there really are not any, none worthy of worry.
>
> Close your port 0 and run your machine for a week or two
> and discover is there are any problems. I am not even
> sure Win2k will allow you to close port 0, I have
> never looked!
>
> Here is a detailed article on icmp,
>
> http://www.robertgraham.com/pubs/firewall-seen.html#2
>
> There is a "man-in-the-middle" attack involving certificates,
> SSL,SSH and ipsec, but this does not seem a common attack.
> Today, I believe this mostly applies to ipsec tunneling,
> which is very secure. I have not read about this type of
> attack in a very long time.
>
>
> Purl Gurl
> --
> Amazing Perl Scripts!
> http://www.purlgurl.net/~callgirl/android.html
Anonymous
a b 8 Security
May 20, 2004 5:59:33 PM

Archived from groups: comp.security.firewalls (More info?)

Maxime Ducharme wrote:

> Purl Gurl wrote:
> > Alan Illeman wrote:

(snipped)

> > > Can I survive if I block all ICMP requests?

> ICMP does not include any ports.

> http://www.iana.org/assignments/icmp-parameters

> http://www.networkpenetration.com/port0.html

Thank you, Maxime, for additional information.
This benefits all readers. Like you, I encourage
readers to follow those links and other links,
to research, read and learn, keeping in mind
each author will present his specific viewpoint.
A variety of research sources will provide a
much better generalized notion, and clarity.

You will note in my articles I make a distinction
between port zero and icmp packets. You will also
discover I indicate historical hacks for icmp data
arrive through port 0 which is well documented.

You will discover by writing your own custom program
there are a minimum of three responses through port 0
which are icmp responses, types 13, 14 and 17.

Perhaps it is each operating system handles port 0
requests differently, leading to a default action
which returns icmp responses. It is documented there
is wide variation how each system, and each system
version, handles port 0 inquiries, bidirectional.

Unfortunately, none of us are experts are each and
every system type out there.

Your links provide additional information so readers
can become better informed about this clouded issue.

Standard issue advice is to close port 0 to all
connections, and deny only selected icmp types.
My previous articles add some information, albeit
limited, why closing port 0 is preferred over
denial of all icmp packets. Some system issues
may come about thus my suggestion to test and
note results.

Readers will benefit by engaging in a detailed
highly technical study of this, but expect to
encounter some lack of clarity; there are many
valid points of view on this.


Purl Gurl
Anonymous
a b 8 Security
May 20, 2004 7:24:29 PM

Archived from groups: comp.security.firewalls (More info?)

Thanks for your comments, I also agree with the point that we
are all learning and sharing information is a good thing :) 

But I still do not understand "icmp data arrive through port 0 "

ICMP resides above IP protocol, and beside TCP & UDP.

ICMP means Internet Control Message Protocol, and isnt
used to exchange data, it is used to help hosts to know what
is happening.

Some way you may see ICMP get out of your box when
it receives a UDP or TCP packet on port 0 would be packets
ICMP Type 3 Code 3 (Port unreachable).

ex:
TCP foreignhost -> yourbox:0 (connect to port 0)
ICMP yourbox -> foreignhost (port is unreachable)

This would be normal behavior for a TCP/IP stack.

Another way that port was used is to set source port to
0 and send this packet to an opened port of a server
to determine its OS with its TCP/IP stack behavior.
ex:

TCP foreignhost:0 -> awebserver:80 (opened port)
TCP awebserver:80 -> foreignhost:1025 (the stack changed source port to
1025)

this article :
http://archives.neohapsis.com/archives/bugtraq/2002-10/...
doesnt talk about ICMP, it talks about TCP flags combinations
to determine OS via its TCP/IP stack behavior.

It does talk about port 0 neither.

This article :
http://www.robertgraham.com/pubs/firewall-seen.html#2
indiquates

"Some firewalls (inaccurately) label ICMP fields as "ports". ICMP has no
ports like TCP or UDP, but it does have two fields called "type" and
"code"."

It gives an example about what I just explained, an ICMP reponse
is usually returned to the foreign host when there is a problem
(like host unreachable, port unreachable, protocol unreachable, ..,.)
with asked port. But this port can be anything between 0 and 65535.

I suggest more readings :
http://www.ietf.org/rfc/rfc1122.txt section 3.2.2
http://www.robertgraham.com/pubs/hacking-dict.html#icmp
http://www.thinkingsecure.com/docs/TCPIP-Illustrated-1/...
http://www.citap.com/documents/tcp-ip/tcpip012.htm

And this one explains how to configure a linux firewall what to do
when it receives a TCP packet to a forbidden port which may
help to understand :
http://logi.cc/linux/reject_or_deny.html

We can either :
- Drop the packet (no answer to foreign)
- Send a TCP packet with RST flag to foreign
(means "my port is closed")
- Send an ICMP message with the correct type & code
saying "port is unreachable"

Hope this help again

Have a nice day

Maxime Ducharme
Programmeur / Spécialiste en sécurité réseau

"Purl Gurl" <purlgurl@purlgurl.net> wrote in message
news:40ACC01E.4E1AEF30@purlgurl.net...
> Maxime Ducharme wrote:
>
> > Purl Gurl wrote:
> > > Alan Illeman wrote:
>
> (snipped)
>
> > > > Can I survive if I block all ICMP requests?
>
> > ICMP does not include any ports.
>
> > http://www.iana.org/assignments/icmp-parameters
>
> > http://www.networkpenetration.com/port0.html
>
> Thank you, Maxime, for additional information.
> This benefits all readers. Like you, I encourage
> readers to follow those links and other links,
> to research, read and learn, keeping in mind
> each author will present his specific viewpoint.
> A variety of research sources will provide a
> much better generalized notion, and clarity.
>
> You will note in my articles I make a distinction
> between port zero and icmp packets. You will also
> discover I indicate historical hacks for icmp data
> arrive through port 0 which is well documented.
>
> You will discover by writing your own custom program
> there are a minimum of three responses through port 0
> which are icmp responses, types 13, 14 and 17.
>
> Perhaps it is each operating system handles port 0
> requests differently, leading to a default action
> which returns icmp responses. It is documented there
> is wide variation how each system, and each system
> version, handles port 0 inquiries, bidirectional.
>
> Unfortunately, none of us are experts are each and
> every system type out there.
>
> Your links provide additional information so readers
> can become better informed about this clouded issue.
>
> Standard issue advice is to close port 0 to all
> connections, and deny only selected icmp types.
> My previous articles add some information, albeit
> limited, why closing port 0 is preferred over
> denial of all icmp packets. Some system issues
> may come about thus my suggestion to test and
> note results.
>
> Readers will benefit by engaging in a detailed
> highly technical study of this, but expect to
> encounter some lack of clarity; there are many
> valid points of view on this.
>
>
> Purl Gurl
Anonymous
a b 8 Security
May 20, 2004 7:26:24 PM

Archived from groups: comp.security.firewalls (More info?)

Purl Gurl wrote:
(snipped)

> Yes. However, this is a very low security risk
> and pertains mostly to information gathering.
>
> You may close port 0 (zero) and test your machine.

(snipped)

>
> Purl Gurl

Ah, the wonderful ICMP packet, be careful with it, for the power of the
Ping is something only the most hardy can deal with consciously.

My personal opinion is that the majority of firewalls log packets with
ports in mind to deal with UDP and TCP packets, but when an ICMP packet
is logged the port field is simply filled with a "0x0" instead of
[null]. Perhaps this is where all the confusion lies?

Its impossible to listen on port 0, or at least I found with winxp and
debian both replaced my port 0 listening attempt with a random available
port.

After some searching on the subject it mostly leads to this info.
Although Purl was correct to say that port 0 is a security risk, albeit
a low one, as malformed packets can be explicitly targetted for port 0
and depending on the operating system/firewall they are directed at a
different response is given, and you can use this response to give an
educated guess as to what the OS/Firewall is.

My experience on this subject is low, I'm just adding my 0.02 euro :D 

One thing i noticed about this group is its very headstrung to tell
people they are wrong or show that they are smart. In technology, there
is always the possibility that some things aren't so cut and dry.
I ask that members of this group try to communicate with a little more
respect to each other since we are all professionals and there are some
pretty intelligent people here. I hope I wasn't disrespectful to anyone.


Regards,
Steve.
--
May the ping be with you ....

Registered Linux user number: 355729
Anonymous
a b 8 Security
May 20, 2004 7:26:25 PM

Archived from groups: comp.security.firewalls (More info?)

Stalks wrote:

> Purl Gurl wrote:

(snipped)

> > Yes. However, this is a very low security risk
> > and pertains mostly to information gathering.

> > You may close port 0 (zero) and test your machine.

> Ah, the wonderful ICMP packet, be careful with it, for the power of the
> Ping is something only the most hardy can deal with consciously.

Yes, great care needs to be taken with icmp packets, thus my
suggestion to test and note results; there may be problems.

No pings allowed here, though, so stop that!


> After some searching on the subject it mostly leads to this info.
> Although Purl was correct to say that port 0 is a security risk, albeit
> a low one, as malformed packets can be explicitly targetted for port 0
> and depending on the operating system/firewall they are directed at a
> different response is given, and you can use this response to give an
> educated guess as to what the OS/Firewall is.

Precisely. There are lots of rules, lots of defintions, but this does
not ensure those rules and definitions will be followed. Microsoft
is well known for inventing their own protocol definitions.

I suspect part of the problem on this is we, all of us, run such
complicated systems, WAN, modem, router, LAN, firewall, networking
and who knows how many different system types hooked together, we
can no longer rely on rules and definitions. Any one component can
have a mind of its own, much like a woman, as men slowly learn.

It is not my habit to guarantee any specific action will result
in specific results. We just don't know. On this topic, I would
rather suggest closing port 0, when allowed, then mess around
with icmp packet filtering and note what happens.

You may label me a rule breaker and may label all things internet
related, rule breakers as well.

I tend to cringe when people start citing definitions, rules,
http protocol, RFC "must do this" rules. Most of those rules
are rarely followed.

There is suspicion in mind now, Microsoft might be breaking
some rules on port 0, but I cannot convict them, just yet.
We have a lot of equipment sitting in front of our MS servers.

Our system does respond to Port 0 and does send ICMP packets.


> My experience on this subject is low, I'm just adding my 0.02 euro :D 

Not only do you Europeans drive on the wrong side of the road,
you also carry funny looking coins in your pockets. :D 


May the EURO be with you.

Purl Gurl
Anonymous
a b 8 Security
May 20, 2004 7:53:41 PM

Archived from groups: comp.security.firewalls (More info?)

Hi,

Purl Gurl <purlgurl@purlgurl.net> wrote:
>> Port 0 and ICMP are not the same. really.
> From a security point of view, traditionally most
> icmp hack attempts are aimed at port 0 typically.

Once again: ICMP has no ports. Tehre are types. You have ports with
TCP and UDP, not with ICMP.

> I not completely familiar with the mechanics of
> this and why attempts often appear on this port.

You are not familiar with the TCP/IP protocol family.
Read Tanenbaum, Stevens, Cheswick.

> My belief is port 0 is often used or was often
> used in the past to enable usage of telnet
> programs and custom socket programs by those
> looking to "map" a server via information
> returned by selected icmp packets.

What are you talking about?

> Completely shutting down icmp transactions,
> I not sure but what this could cause some
> handshake problems; ready, not ready states.

Read Stevens. Read Cheswick.

> To deny all icmp transactions would be a
> bit of overkill and may cause more problems
> than are resolved.

Definitely.

> Which method is best, closing port 0 or shutting
> down all icmp transactions, this is a system
> specific issue and user issue.

Closing port 0 will do nothing related to icmp.

> for internet transactions because of icmp use
> being a "primitive" level initial contact for
> verifying status states for transactions.

You really don't know, what ICMP is, don't you?

Greetings,
Jens
Anonymous
a b 8 Security
May 20, 2004 7:53:42 PM

Archived from groups: comp.security.firewalls (More info?)

Jens Hoffmann wrote:

> Purl Gurl wrote:

(snipped)

Directing personal insults at me will not
prompt me to engage you in dialog. Quite
the opposite, I will ignore you.

I will encourage you to employ common courtesy
in your articles. Doing so will better foster
meaningful dialog.

Purl Gurl
Anonymous
a b 8 Security
May 20, 2004 7:54:34 PM

Archived from groups: comp.security.firewalls (More info?)

Purl Gurl wrote:

(lots snipped)

>
> Our system does respond to Port 0 and does send ICMP packets.
>
> Purl Gurl

What is your system? and do all ICMP rules apply to port 0 on this system?

--
May the ping be with you ....

Registered Linux user number: 355729
Anonymous
a b 8 Security
May 20, 2004 7:54:35 PM

Archived from groups: comp.security.firewalls (More info?)

Stalks wrote:

> Purl Gurl wrote:

(lots snipped)

> > Our system does respond to Port 0 and does send ICMP packets.

> What is your system? and do all ICMP rules apply to port 0 on this system?

Stalks, after reading so many articles on this, here and
on the internet, I do not have a clue. Everything "assumed"
has been tossed out my window, along with the wash and baby.

Actually I was more tempted to toss my girl out a window
when she became a teenager, but she is past that although
I remain a teenager, and she is now the mother.

Stalks, just briefly, we are fed a T1 broadband connection,
an Orion modem, Linksys programmable router, three machines
on our LAN, each a highly modified WIN32 system (Not NT)
with Apache, a dns server and and an email server. Apache
is on one machine. DNS and Email on another, supporting
programs for my cgi applications, mostly databases, on
the final machine.

This week, I will be plugging in a Netscreen appliance and
linking it to SNORT. This will sit between our modem
and our router. That should really add some surprises!

Seems a fairly typical system. I am leaning towards the
Linksys router responding to port 0 requests. However,
a timestamp ICMP did make it through to our hack testing.
This suggests at least one of our machines responding
to a port 0 probe with an ICMP packet. Might be our
router stripped the port 0 reference allowing an ICMP
request to be a multicast non-port specific request.

However, one of our servers, either DNS or email, has
a port 0 security feature, don't remember which. I will
take a look later, although I think it is the DNS server.

On Linksys responding, I believe this is the origin of
the ICMP packet for a netmask. This makes sense because
our router is netmasked for a single ip address on
the T1 WAN system. Our internal LAN netmasking is
multiple addresses, and this did not show in probes.

To add confusion, each machine is netmasked for
a single ip address (255.255.255.0) which may
also be the port 0 ICMP reponse.

Hack probes for port 0 did yield ICMP packets.

Your guess is good as any, Stalks. I have been rendered
literally clueless on this.


> May the ping be with you ....

I told you to stop that!

Purl Gurl
Anonymous
a b 8 Security
May 20, 2004 7:54:36 PM

Archived from groups: comp.security.firewalls (More info?)

Purl Gurl wrote:

> Stalks wrote:
> > Purl Gurl wrote:

(lots snipped)

> > > Our system does respond to Port 0 and does send ICMP packets.

> > What is your system? and do all ICMP rules apply to port 0 on this system?

> an Orion modem

Just keyed in on that. I am going to backup a bit
and propose another concept.

Our WAN system, external to us, is an extremely large
system covering thousands of square miles. It is a
netmask type system using Cisco routers for nodes.

Additionally, actual physical routing to a specific
machine, out of millions, is done by MAC address
of a modem.

It is very possible our external port 0 probes were
actually receiving ICMP reponses from any of thousands
of CISCO routers or any of hundreds of mainframes
along the way.

Could very well have been a gateway response!

There is no way, not a reasonable way, to track down
this port 0 ICMP response with so many external devices
in the system. This could be originating from Europe
where people drive on the wrong side of the road and
carry funny looking coins in their pockets.

* frowns *

Totally befuddled now. The PING is not with me.

Purl Gurl
Anonymous
a b 8 Security
May 20, 2004 8:06:26 PM

Archived from groups: comp.security.firewalls (More info?)

"Purl Gurl" <purlgurl@purlgurl.net> wrote in message ...

(snipped)

>
> Our system does respond to Port 0 and does send ICMP packets.
>

Just for fun I tested it on our XP systems, on a Linksys router
& on a CATALYST switch, they all answer with a TCP
RST packet :

mducharme@max ~
$ nmap -sS -P0 -p0 --packet_trace 10.1.1.2
WARNING: Scanning "port 0" is supported, but unusual.

Starting nmap 3.48 ( http://www.insecure.org/nmap ) at 2004-05-20 12:00
Eastern Daylight Time
SENT (4.6770s) TCP 10.1.1.1:59338 > 10.1.1.2:0 S ttl=43 id=64558 iplen=40
seq=1438141545 win=4096
RCVD (4.6870s) TCP 10.1.1.2:0 > 10.1.1.1:59338 RA ttl=64 id=15498 iplen=40
seq=0 win=0 ack=0
Interesting ports on 10.1.1.2:
PORT STATE SERVICE
0/tcp closed unknown

Nmap run completed -- 1 IP address (1 host up) scanned in 4.737 seconds



Only our linux servers which have a DROP configuration in iptables do not
answer.

Bye

Maxime Ducharme
Programmeur / Spécialiste en sécurité réseau
Anonymous
a b 8 Security
May 20, 2004 8:06:27 PM

Archived from groups: comp.security.firewalls (More info?)

Maxime Ducharme wrote:

> Purl Gurl wrote:

(snipped)

> > Our system does respond to Port 0 and does send ICMP packets.

> Just for fun I tested it on our XP systems, on a Linksys router
> & on a CATALYST switch, they all answer with a TCP
> RST packet :

> WARNING: Scanning "port 0" is supported, but unusual.

Unusual indeed! Maxime, have you tried external probes
to determine what responses are garnered?

Our probes originated from a server on the outside, not
even on our geographic WAN system.

Do you think there may be differences in response
between internal probes, such as you did, and
external probes?

First rule of good Scientific Method is to standardize
all controls. Inherently, this is not possible with
internet usage!


Purl Gurl
Anonymous
a b 8 Security
May 20, 2004 8:06:28 PM

Archived from groups: comp.security.firewalls (More info?)

Purl Gurl wrote:

> Maxime Ducharme wrote:
> > Purl Gurl wrote:

(snipped)

> > > Our system does respond to Port 0 and does send ICMP packets.

> > Just for fun I tested it on our XP systems, on a Linksys router
> > & on a CATALYST switch, they all answer with a TCP
> > RST packet :

> > WARNING: Scanning "port 0" is supported, but unusual.

> Do you think there may be differences in response
> between internal probes, such as you did, and
> external probes?

Another difference is our external probes were
deliberately crafted "hack" probes, not system
functions. This is another variable to consider.

Our extensive external testing employed very well
crafted hacks designed to fool our system in as
many ways as possible. Nearly five-thousand tests
in total. Stepping outside the expected, breaking
the rules, not obeying definitions, otherwords
deliberately black hat hacking, might be the
true source of difference here.


Purl Gurl
Anonymous
a b 8 Security
May 20, 2004 8:46:25 PM

Archived from groups: comp.security.firewalls (More info?)

Hi,

Purl Gurl <purlgurl@purlgurl.net> wrote:
> A variety of research sources will provide a
> much better generalized notion, and clarity.

With engineering it's a lot simpler:

Read the definitions.

> You will note in my articles I make a distinction
> between port zero and icmp packets.

That was not apparent.

> You will also
> discover I indicate historical hacks for icmp data
> arrive through port 0 which is well documented.

No icmp data will ever arrive through port 0.

> Unfortunately, none of us are experts are each and
> every system type out there.

Yepp. you seem to be a good programmer, but you are not
a network specialist.

> Readers will benefit by engaging in a detailed
> highly technical study of this, but expect to
> encounter some lack of clarity; there are many
> valid points of view on this.

Ehm. No. There aren't. There are, however, a lot of
people selling snake oil.

I once again suggest, that you read the definition
of the terms you are using.

If you don't trust my choice of authors, try some
source code for IP-stacks.

Greetings,
Jens
Anonymous
a b 8 Security
May 20, 2004 8:46:26 PM

Archived from groups: comp.security.firewalls (More info?)

Jens Hoffmann wrote:

> Purl Gurl wrote:

(snipped)

> > A variety of research sources will provide a
> > much better generalized notion, and clarity.

> With engineering it's a lot simpler:

Which is way many engineered buildings, bridges
and other structures, collapse.

Setting rules and definitions is beneficial.

However, I would invite you to compare RFC
http protocols to Microsoft Internet Explorer.
Once you have learned MSIE does not follow
any http protocols, then have a look at various
operating systems. You will learn rules are
dismissed, outright ignored, most often by
Microsoft who maintains their own rules.

I clearly state this in my previous articles.

We can make a rule you will stop at all stop signs.
Here in California, we do not stop, despite the law.

You have suggested reading definitions. I will suggest you
read my articles for comprehension. Your responses lead a
reader to believe I wrote something, which I did not. Your
responses also indicate you do not understand my writings
or are deliberately ignoring what I wrote.

Personally, I am annoyed by nit-pickers. Any can do this
and usually they are wrong and remain nit infested.

Nothing is standardized related to the internet and it
is my advice readers should seek out a lot of information
to become informed, rather than rely on stated rules,
which are rarely followed.

Be sure hackers do not follow the rules and exploits
come through in the most surprising ways.

Purl Gurl


Here are some results from a professional security survey.
All of these comments are associated with port 0 hacks and
in their documentation, port 0 is specifically listed.

These are three results out of nearly five-thousand tests
for security vulnerabilities.


ICMP PORT 0

The remote host answered to an ICMP_MASKREQ query and sent us
its netmask (255.255.255.0). An attacker can use this information
to understand how your network is set up and how the routing is done.
This may help him bypass your filters.

Solution: Reconfigure the remote host so that it does not answer
to those requests. Set up filters that deny ICMP packets of type 17.
Risk Factor: Low CVE:CAN-1999-0524


ICMP PORT 0

The remote host answers to an ICMP timestamp request. This allows
an attacker to know the date which is set on your machine. This may
help him to defeat all your time based authentication protocols.

Solution: Filter out the ICMP timestamp requests (13), and the
outgoing ICMP timestamp replies (14).
Risk Factor: Low CVE:CAN-1999-0524

TCP PORT 0

The remote host does not discard TCP SYN packets which have the
FIN flag set. Depending on the kind of firewall you are using,
an attacker may use this flaw to bypass its rules. See also:
http://archives.neohapsis.com/archives/bugtraq/2002-10/...
http://www.kb.cert.org/vuls/id/464113

Solution: Contact your vendor for a patch.
Risk Factor: Low BID:7487
Anonymous
a b 8 Security
May 20, 2004 9:31:12 PM

Archived from groups: comp.security.firewalls (More info?)

"Purl Gurl" <purlgurl@purlgurl.net> wrote in message

(snipped)

>
> Do you think there may be differences in response
> between internal probes, such as you did, and
> external probes?
>

depends on devices configuration

the devices i tested were both on internal & external

Have a nice day

Maxime
Anonymous
a b 8 Security
May 20, 2004 9:32:48 PM

Archived from groups: comp.security.firewalls (More info?)

Hi,

Maxime Ducharme <mducharme@cybergeneration.com> wrote:
> Hope this help again

Excellent, nitpicking and perfectly correct.

Greetings,
Jens
Anonymous
a b 8 Security
May 20, 2004 9:35:53 PM

Archived from groups: comp.security.firewalls (More info?)

"Purl Gurl" <purlgurl@purlgurl.net> wrote in message

(snipped)

>
> Another difference is our external probes were
> deliberately crafted "hack" probes, not system
> functions. This is another variable to consider.
>
> Our extensive external testing employed very well
> crafted hacks designed to fool our system in as
> many ways as possible. Nearly five-thousand tests
> in total. Stepping outside the expected, breaking
> the rules, not obeying definitions, otherwords
> deliberately black hat hacking, might be the
> true source of difference here.
>
>
> Purl Gurl

this is cool but not very precise

can you explain us some "special" techniques used ?

later

Maxime
Anonymous
a b 8 Security
May 20, 2004 9:35:54 PM

Archived from groups: comp.security.firewalls (More info?)

Maxime Ducharme wrote:

> Purl Gurl wrote:

(snipped)

> > Our extensive external testing employed very well
> > crafted hacks designed to fool our system in as
> > many ways as possible. Nearly five-thousand tests
> > in total. Stepping outside the expected, breaking
> > the rules, not obeying definitions, otherwords
> > deliberately black hat hacking, might be the
> > true source of difference here.

> can you explain us some "special" techniques used ?

What is the URL of the webserver you own and operate?


Purl Gurl
Anonymous
a b 8 Security
May 20, 2004 11:34:59 PM

Archived from groups: comp.security.firewalls (More info?)

reply is off-list, this thread is getting on another subject

Maxime Ducharme
Programmeur / Spécialiste en sécurité réseau

"Purl Gurl" <purlgurl@purlgurl.net> wrote in message
news:40AD042E.41CED123@purlgurl.net...
> Maxime Ducharme wrote:
>
> > Purl Gurl wrote:
>
> (snipped)
>
> > > Our extensive external testing employed very well
> > > crafted hacks designed to fool our system in as
> > > many ways as possible. Nearly five-thousand tests
> > > in total. Stepping outside the expected, breaking
> > > the rules, not obeying definitions, otherwords
> > > deliberately black hat hacking, might be the
> > > true source of difference here.
>
> > can you explain us some "special" techniques used ?
>
> What is the URL of the webserver you own and operate?
>
>
> Purl Gurl
Anonymous
a b 8 Security
May 21, 2004 12:00:34 AM

Archived from groups: comp.security.firewalls (More info?)

> Readers will benefit by engaging in a detailed
> highly technical study of this, but expect to
> encounter some lack of clarity; there are many
> valid points of view on this.
>
>
> Purl Gurl

Yes. There are a variety of ways to look at this.

Let me list them :

1) The right way.

2) Your way.
Anonymous
a b 8 Security
May 21, 2004 12:13:20 AM

Archived from groups: comp.security.firewalls (More info?)

Purl Gurl <purlgurl@purlgurl.net> wrote in
news:40ACDAC8.E637435A@purlgurl.net:

> Stalks wrote:
>
>> Purl Gurl wrote:
>
> (lots snipped)
>
>> > Our system does respond to Port 0 and does send ICMP packets.
>
>> What is your system? and do all ICMP rules apply to port 0 on this
>> system?
>
> Stalks, after reading so many articles on this, here and
> on the internet, I do not have a clue. Everything "assumed"
> has been tossed out my window, along with the wash and baby.
>
> Actually I was more tempted to toss my girl out a window
> when she became a teenager, but she is past that although
> I remain a teenager, and she is now the mother.
>
> Stalks, just briefly, we are fed a T1 broadband connection,
> an Orion modem, Linksys programmable router, three machines
> on our LAN, each a highly modified WIN32 system (Not NT)
> with Apache, a dns server and and an email server. Apache
> is on one machine. DNS and Email on another, supporting
> programs for my cgi applications, mostly databases, on
> the final machine.
>
> This week, I will be plugging in a Netscreen appliance and
> linking it to SNORT. This will sit between our modem
> and our router. That should really add some surprises!
>
> Seems a fairly typical system. I am leaning towards the
> Linksys router responding to port 0 requests. However,
> a timestamp ICMP did make it through to our hack testing.
> This suggests at least one of our machines responding
> to a port 0 probe with an ICMP packet. Might be our
> router stripped the port 0 reference allowing an ICMP
> request to be a multicast non-port specific request.
>
> However, one of our servers, either DNS or email, has
> a port 0 security feature, don't remember which. I will
> take a look later, although I think it is the DNS server.
>
> On Linksys responding, I believe this is the origin of
> the ICMP packet for a netmask. This makes sense because
> our router is netmasked for a single ip address on
> the T1 WAN system. Our internal LAN netmasking is
> multiple addresses, and this did not show in probes.
>
> To add confusion, each machine is netmasked for
> a single ip address (255.255.255.0) which may
> also be the port 0 ICMP reponse.
>
> Hack probes for port 0 did yield ICMP packets.
>
> Your guess is good as any, Stalks. I have been rendered
> literally clueless on this.
>
>
>> May the ping be with you ....
>
> I told you to stop that!
>
> Purl Gurl

PurlGurl,

Is it your goal to troll the internet pulling statements out of your
ass?

I wish you'd get back to day trading... or running the casino. Whatever
you do.

Later
Anonymous
a b 8 Security
May 21, 2004 1:16:46 AM

Archived from groups: comp.security.firewalls (More info?)

To get a clear answer to Alan,
I'd say you may block "ping requests" safely,
but you should let other ICMP types & codes.

Maybe you may tell us with which software / device
you are trying to block it.

Hope this helps :) 

Maxime Ducharme
Programmeur / Spécialiste en sécurité réseau

"Alan Illeman" <illemann@surfbest.net> wrote in message
news:10ant8ug3454eb8@news.supernews.com...
> Can I survive if I block all ICMP requests?
> Win2K Pro SP.4 single user
>
>
Anonymous
a b 8 Security
May 21, 2004 1:16:47 AM

Archived from groups: comp.security.firewalls (More info?)

Kerio 2.1.5 on a single user Win2K Pro workstation, SP.4

I had no idea my question, would create so much interest
and am grateful for the comment and links by you all.

"Maxime Ducharme" <mducharme@cybergeneration.com> wrote in message
news:2f9rc.2488$SQ2.1015@edtnps89...
>
> To get a clear answer to Alan,
> I'd say you may block "ping requests" safely,
> but you should let other ICMP types & codes.
>
> Maybe you may tell us with which software / device
> you are trying to block it.
>
> Hope this helps :) 
>
> Maxime Ducharme
> Programmeur / Spécialiste en sécurité réseau
>
> "Alan Illeman" <illemann@surfbest.net> wrote in message
> news:10ant8ug3454eb8@news.supernews.com...
> > Can I survive if I block all ICMP requests?
> > Win2K Pro SP.4 single user
> >
> >
>
>
Anonymous
a b 8 Security
May 21, 2004 1:45:20 AM

Archived from groups: comp.security.firewalls (More info?)

Hi,

Purl Gurl <purlgurl@purlgurl.net> wrote:
>> WARNING: Scanning "port 0" is supported, but unusual.
>
> Unusual indeed!

This is information from nmap.

> Do you think there may be differences in response
> between internal probes, such as you did, and
> external probes?

Only if a network element in between modifies the pakets
sent to the inquired system.

> Inherently, this is not possible with
> internet usage!

That is an alchemistic view on the network.

Greetings,
Jens
Anonymous
a b 8 Security
May 21, 2004 1:45:21 AM

Archived from groups: comp.security.firewalls (More info?)

Jens Hoffmann wrote:

> Purl Gurl wrote:

(Hoffman snipped context - laboratory controls on the internet)

> > Inherently, this is not possible with
> > internet usage!

> That is an alchemistic view on the network.

Your local network is not the internet.

You cannot control transactions over the
internet. You cannot control remote servers,
you cannot control gateways, you cannot control
how many gateway hops a transaction makes nor
can you control what happens to transaction
data coming through internet gateways.

You can only hope all proceeds as expected,
with no data corruption.

A simple test of this is to reach out into the
internet then set all gateway speeds to 2 megabits
per second. Cannot be done.

Use of ipsec is a clear example of no control
of the internet. This is used to help prevent
your transactions from intercepted and read.

None of that is alchemy nor gold. All of that
is common knowledge.


Purl Gurl
Anonymous
a b 8 Security
May 21, 2004 1:52:24 AM

Archived from groups: comp.security.firewalls (More info?)

Hi,


Purl Gurl <purlgurl@purlgurl.net> wrote:
[A lot of meaningless technobabble].

> To add confusion, each machine is netmasked for
> a single ip address (255.255.255.0)

Wrong. A netmask for a /32 network (single host) is 255.255.255.255
255.255.255.0 is the netmask for a /24 network containing up to 254
useful addresses.


>which may
> also be the port 0 ICMP reponse.

I admit it, I am not a native speaker. I cannot make any sense of
this sentence.

>> May the ping be with you ....
>
> I told you to stop that!

Why? Your approach to networking is vague at best, kind of magically
interpreting phenomena.

Greetings,
Jens
May 21, 2004 1:59:45 AM

Archived from groups: comp.security.firewalls (More info?)

In article <10ant8ug3454eb8@news.supernews.com>, illemann@surfbest.net says...
> Can I survive if I block all ICMP requests?
> Win2K Pro SP.4 single user
>
>
>
Hi Allen,
For about a year I was in a quandry about how set firewall rules for ICMP.
I read everything I could find; read newsgroup posts regarding ICMP.
My conclusion: There seems to be no consenses of how ICMP should be
treated.
These rules have worked very well for me:
1. Allow ICMP 0,3,8,11 incoming
2. Allow ICMP 3,8 Outgoing
3. Allow ICMP 0,8 incoming and outgoing to my ISP only.
(I understand your ISP may ping you to see if you are still
connected. You would want to respond so you will not be
disconnected)
4.Block ICMP all other types incoming and outgoing.

Port numbers range from 1 to 65535.
ICMP types range from 0 to at least 18 (and probably higher
but obsolete).
Casey
Anonymous
a b 8 Security
May 21, 2004 1:59:46 AM

Archived from groups: comp.security.firewalls (More info?)

"Casey" <casey@nosuch.net> wrote in message
news:MPG.1b16e5f15b8ecfb198972c@news.west.earthlink.net...
> In article <10ant8ug3454eb8@news.supernews.com>, illemann@surfbest.net
says...
> > Can I survive if I block all ICMP requests?
> > Win2K Pro SP.4 single user
> >
> >
> >
> Hi Allen,
> For about a year I was in a quandry about how set firewall rules for ICMP.
> I read everything I could find; read newsgroup posts regarding ICMP.
> My conclusion: There seems to be no consenses of how ICMP should be
> treated.
> These rules have worked very well for me:
> 1. Allow ICMP 0,3,8,11 incoming
> 2. Allow ICMP 3,8 Outgoing
> 3. Allow ICMP 0,8 incoming and outgoing to my ISP only.
> (I understand your ISP may ping you to see if you are still
> connected. You would want to respond so you will not be
> disconnected)
> 4.Block ICMP all other types incoming and outgoing.
>
> Port numbers range from 1 to 65535.
> ICMP types range from 0 to at least 18 (and probably higher
> but obsolete).
> Casey
>

Thanks Casey, I've got lots to read and study.
Anonymous
a b 8 Security
May 21, 2004 2:03:23 AM

Archived from groups: comp.security.firewalls (More info?)

Hi,

Purl Gurl <purlgurl@purlgurl.net> wrote:
> Our WAN system, external to us, is an extremely large
> system covering thousands of square miles.

Aha.

>It is a
> netmask type system

What is a netmask type system?


>using Cisco routers for nodes.
>
> Additionally, actual physical routing to a specific
> machine, out of millions, is done by MAC address
> of a modem.

Nope. MAC addresses don' get transportet across routers.

> It is very possible our external port 0 probes were
> actually receiving ICMP reponses from any of thousands
> of CISCO routers or any of hundreds of mainframes
> along the way.

Ahh. Believe me or not, it is highly unlikely, that you have
more than 60 active systems between any two systems connected via a network.

Can you think of a reason, why ordinary traceroute programs don't expect
more than 30 hops?

So, I suggest, that you check the TTL on the ICMP-Paket, which disturbes
you. Then you take a trace and simply count from the target backwards until
you find the culprit.

> There is no way, not a reasonable way, to track down
> this port 0 ICMP response with so many external devices
> in the system.

Wrong. See above.


> This could be originating from Europe
> where people drive on the wrong side of the road and
> carry funny looking coins in their pockets.

This is as exact as your knowledge about networks.
The british ride on the left hand side, the rest on the "usual".

> Totally befuddled now. The PING is not with me.

REad the excellent book on networking from Mr Tanenbaum.
Then deepen your knowledge on TCP/IP with the books from Mr Stevens on
this. Mr Cheswick has described, what Firewalls can and should do.
He looks into the magic of ICMP in great detail...

Have fun,
Jens
Anonymous
a b 8 Security
May 21, 2004 2:04:24 AM

Archived from groups: comp.security.firewalls (More info?)

Purl Gurl wrote:

>Jens Hoffmann wrote:
>
>> Port 0 and ICMP are not the same. really.
>
>Yes. There is much debate on this topic. One
>of my links provided, discusses this issue.

Congratulations. You really did a nice job of trolling this froup.
The fine folks in alt.troll, etc. should take lessons from you. My
hat's off to you. I bet you SE pretty good also. It was a much
better troll than Tracker, but the similarities are obvious. Just out
of morbid curiosity, did you pattern your troll after her, since she
seemed quite capable of "hook-line-and-sinker"ing so many people with
a single post? She could drag it on for days when she tried hard.
May we assume this is what you have planned for this froup?

Oh, that was a nice touch, calling me a troll and whining about
non-existant personal insults when I bluntly pointed out one of your
claims was wrong. You are very intelligent. I'll bet you even really
know there is no such thing as an ICMP port 0.
Anonymous
a b 8 Security
May 21, 2004 2:04:25 AM

Archived from groups: comp.security.firewalls (More info?)

Micheal Robert Zium wrote:

> Purl Gurl wrote:
> >Jens Hoffmann wrote:

(snipped)

> >> Port 0 and ICMP are not the same. really.

> >Yes. There is much debate on this topic. One
> >of my links provided, discusses this issue.

> You are very intelligent.

Yes, I am. Why I am intelligent is when I moved from being
a penniless ignorant rural Oklahoma farm girl, I made a
decision, at a young age, to dedicate myself to becoming
well educated and financially secure. I have attended
college, non-stop, since 1980. I have worked for decades
to become well educated. Have you?

Clearly you missed my link references to articles which
discuss this port zero / ICMP controversy and confusion.
You really should pay more attention, rather than investing
so much thought and effort into how to best harass me.


> I'll bet you even really know there is no such thing
> as an ICMP port 0.

I am still researching this. There is much controversy over
this. I have learned, from friendly people here, there is
a lot of confusion created by referring to an ICMP type
number as a port number. That makes sense.

Nonetheless, I do have in my well calloused hands, a report
from a security firm indicating ICMP responses from port 0
at our server. I am not sure what to make of this.

Internet research today yielded some articles indicating
ethernet to ethernet routing employs ICMP in a manner
which does not comply with what I have learned here.
This I discussed at length. Perhaps you did not fully
understand the implications of my article.

You will note in one of my articles today, I have been
performing a lot of hardware tests and noting results.
I do have a reputation for digging deep into any given
topic, to learn as much as possible. This is a direct
reflection of my strong desire to learn.

This desire is evidenced by my finding two Apache
bugs over the past year, very serious bugs still being
discussed on this very day. Rather odd, an entire
development community never found what I found.

I not yet prepared to commit to this rule ICMP cannot
originate from port zero. Currently, my research is
split fifty-fifty on this. It would be foolish of
me to commit on this, in lieu of knowing for certain.

Do you expend time and effort into research and learning,
or do you spend most of your time looking for me?

What do you think about my idea of you boys starting a
new newsgroup named after me? I fashion this to be a
great idea. This would afford you boys a place to meet,
gossip and such, during those times I "vanish" to
guest lecture at my university.

Give this some thought. Lots of fun for you, my groupies!


Purl Gurl
Anonymous
a b 8 Security
May 21, 2004 2:17:38 AM

Archived from groups: comp.security.firewalls (More info?)

Casey wrote:
> In article <10ant8ug3454eb8@news.supernews.com>, illemann@surfbest.net says...
>
>>Can I survive if I block all ICMP requests?
>>Win2K Pro SP.4 single user
>>
>>
>>
>
> Hi Allen,
> For about a year I was in a quandry about how set firewall rules for ICMP.
> I read everything I could find; read newsgroup posts regarding ICMP.
> My conclusion: There seems to be no consenses of how ICMP should be
> treated.
> These rules have worked very well for me:
> 1. Allow ICMP 0,3,8,11 incoming
> 2. Allow ICMP 3,8 Outgoing
> 3. Allow ICMP 0,8 incoming and outgoing to my ISP only.
> (I understand your ISP may ping you to see if you are still
> connected. You would want to respond so you will not be
> disconnected)
> 4.Block ICMP all other types incoming and outgoing.
>
> Port numbers range from 1 to 65535.
> ICMP types range from 0 to at least 18 (and probably higher
> but obsolete).
> Casey
>
Actually seeing as this is on-topic, I'd like to pose my own question in
relevance.

I have incoming ICMP blocked, unless its related or previously
established. iptables using the 'state' module with ESTABLISHED,RELATED
state types.

Although, ICMP never actually makes a connection does it? similar to UDP
in the way it sends and forgets? I dont know, perhaps the ESTABLISHED
state rule isnt needed, but I remember reading somewhere about it.
Nevertheless, that and the RELATED rule allow ICMP incoming to
connections that already have a previous connection.

All outgoing ICMP is allowed. Would I be missing out on anything
critical with this particular set of firewall rules?

--
May the ping be with you ....

Registered Linux user number: 355729
Anonymous
a b 8 Security
May 21, 2004 2:21:28 AM

Archived from groups: comp.security.firewalls (More info?)

Hi,

Purl Gurl <purlgurl@purlgurl.net> wrote:
> Another potential for port 0 ICMP packet returns.

Hmm.

> That clock cannot be synchoronized to our LAN system
> because each machine reflects a different time, maybe
> milliseconds, maybe a few seconds, or more.

Is there a reason for this? If not, have a look at NTP.

> So, the router must be pulling time synch signals
> from our geographic WAN. Logically, those time
> signals would be an ICMP packet response.

No. Time in IP networks is transported with NTP (123 TCP and
UDP) these days. There are, however, older protocols used for this purpose.
Watchout for ports 13 (RFC 867), 37, 519, 525
all TCP and UDP.

> There is yet another source of ICMP response which
> "could" masquerade on port zero or a hack test
> for port zero might misrepresent the return as
> originating from port zero.

An ICMP paket does not stem from port 0.

> Anyone want to present an article which is a very
> authorative source ICMP packets cannot source
> from port zero?

ICMP has no ports.

What do you think about these tables:
http://www.iana.org/assignments/port-numbers
http://www.iana.org/assignments/icmp-parameters

Greetings,
Jens
Anonymous
a b 8 Security
May 21, 2004 2:29:22 AM

Archived from groups: comp.security.firewalls (More info?)

Hi,

Purl Gurl <purlgurl@purlgurl.net> wrote:
>> That is an alchemistic view on the network.
>
> Your local network is not the internet.

Right.

> You cannot control transactions over the
> internet.

Wrong.

> You cannot control remote servers,

Wrong.

> you cannot control gateways,

Wrong.

> you cannot control
> how many gateway hops a transaction makes

Wrong.

> nor
> can you control what happens to transaction
> data coming through internet gateways.

Who do you think, controls internet gateways?

> A simple test of this is to reach out into the
> internet then set all gateway speeds to 2 megabits
> per second. Cannot be done.

;)  It can. You need to have some passwords, but that is not the point.


> Use of ipsec is a clear example of no control
> of the internet.

No, a result of the knowledge, that a public network is not
controlled by a single entity.

> None of that is alchemy nor gold. All of that
> is common knowledge.

Common, perhaps. But wrong.

Let's have a look non control of the route your pakets take.

Look into the meaning of routing, routing protocols, OSPF (for
local nets...) or BGP (routing control on the internet).

Greetings,
Jens
Anonymous
a b 8 Security
May 21, 2004 2:29:23 AM

Archived from groups: comp.security.firewalls (More info?)

Jens Hoffmann wrote:

> Purl Gurl <purlgurl@purlgurl.net> wrote:

(snip>

>>You cannot control transactions over the
>>internet.
>
>
> Wrong.

(snip)

> Greetings,
> Jens

Why is it people feel the need to bluntly dismiss others statements so
swiftly. I'm new to this group, but today it just seems to be borderline
flaming.

--
May the ping be with you ....

Registered Linux user number: 355729
Anonymous
a b 8 Security
May 21, 2004 2:29:24 AM

Archived from groups: comp.security.firewalls (More info?)

Stalks wrote:

> Jens Hoffmann wrote:
>
>> Purl Gurl <purlgurl@purlgurl.net> wrote:

(snip)

hahaha, I've only now realised how long this thread has dragged on for,
and how seriously off-topic the discussion has become :) 

--
May the ping be with you ....

Registered Linux user number: 355729
Anonymous
a b 8 Security
May 21, 2004 2:29:25 AM

Archived from groups: comp.security.firewalls (More info?)

I agree with Jens here,
this is getting ridiculous.

I tried to get things clearer, but now I'm off this thread.

Have a nice day everyone

Maxime Ducharme
Programmeur / Spécialiste en sécurité réseau

"Stalks" <sorry@dont.want.spam.tv> wrote in message
news:o P8rc.15875692$Of.2645788@news.easynews.com...
> Stalks wrote:
>
> > Jens Hoffmann wrote:
> >
> >> Purl Gurl <purlgurl@purlgurl.net> wrote:
>
> (snip)
>
> hahaha, I've only now realised how long this thread has dragged on for,
> and how seriously off-topic the discussion has become :) 
>
> --
> May the ping be with you ....
>
> Registered Linux user number: 355729
Anonymous
a b 8 Security
May 21, 2004 2:52:39 AM

Archived from groups: comp.security.firewalls (More info?)

Hi,

Stalks <sorry@dont.want.spam.tv> wrote:
> Why is it people feel the need to bluntly dismiss others statements so
> swiftly.

It is an easy statement to dismiss. He even mentions himself how you
control those transactions. If you want to control a transaction you use
a from of VPN, usually IPSEC or similar technologie.

The more statements from this guy I read, the more he demonstrates
that he is not willing to nitpick, e.g. using logic, mathematics, computer
science or even simple network engineering is not, what he wants to do.
solviong networking issues with philosophical methods is possible, but i
damn hard difficult.

> I'm new to this group, but today it just seems to be borderline
> flaming.

I may be blunt, but you haven't seen me writing flames, yet.

Greetings,
Jens
Anonymous
a b 8 Security
May 21, 2004 2:52:40 AM

Archived from groups: comp.security.firewalls (More info?)

Jens Hoffmann wrote:

> Stalks wrote:

(snipped to gender)

> He even mentions himself
> this guy
> he demonstrates
> that he
> he wants

Have a close look at my internet moniker or
perhaps have a look at some of my nude pictures.
I have a hunch you will learn something.


> but you haven't seen me writing flames, yet.

I have never considered writing flame articles
to be a source of pride. My preference is to
discuss, have fun, maybe have a few laughs.

A firm but fair attitude in a friendly manner,
works well for me.

A positive friendly, even forgiving attitude,
lends well to a cooperative enjoyable newsgroup.


Purl Gurl
Anonymous
a b 8 Security
May 21, 2004 4:18:45 AM

Archived from groups: comp.security.firewalls (More info?)

----- Original Message -----
From: "Stalks" <sorry@dont.want.spam.tv>
Newsgroups: comp.security.firewalls
Sent: Thursday, May 20, 2004 4:40 PM
Subject: Re: Survive without ICMP?


> Why is it people feel the need to bluntly dismiss others statements so
> swiftly. I'm new to this group, but today it just seems to be borderline
> flaming.

Its not a need to dismiss other statements, its a obligation to point out
that the information posted is 100% misleading and incorrect and will not
help these people searching for an answer to their questions.

While I agree some of the replies have been close to harsh, there is a
language barrier to take into account which often times accounts for the
confusion and appearance that people are being blunt.

As a network engineer I feel its my obligation (had Jens not already so
eloquently done so) dispute the validity of the posts of some of the persons
posting in this thread due the obvious complete lack of understanding of the
topic and the tendency to turn what we do into "black magic," which it is
not.

These rules are black and white, like Jens said, for Engineers its simple.
We read the instructions.

Somnambulist
Anonymous
a b 8 Security
May 21, 2004 4:18:46 AM

Archived from groups: comp.security.firewalls (More info?)

Vogulus wrote:

(snipped)

Relax boy, you are about to blow a fifty amp fuse.


Purl Gurl
Anonymous
a b 8 Security
May 21, 2004 6:37:15 AM

Archived from groups: comp.security.firewalls (More info?)

Vogulus wrote:

> a flame ....

Yup, that was meaningless.

<PLONK>
--
May the ping be with you ....

Registered Linux user number: 355729
!