Ok to let all ICMP traffic through firewall?

Franklin

Distinguished
Apr 10, 2004
96
0
18,630
Archived from groups: comp.security.misc,alt.computer.security,comp.security.firewalls,uk.telecom.broadband (More info?)

My question is Should a firewall let all ICMP traffic through because
there is no real risk if they do?

+++++

Here is the thinking behind my question: Robin Walker's cable modem
webpages at
<http://homepage.ntlworld.com/robin.d.h.walker/cmtips/index.html>
look to me as if they are technically sound. But they are a few
years old. I would like to know what people think about the advice
he gives about ICMP traffic and if it is still true these days.

He suggests that firewalls should let all ICMP traffic through and
that there is no real risk if they do that. At
http://snipurl.com/hvox he writes the following section. I have cut
it down a bit.


------------------- START QUOTE -----------------

STEALTH-MODE FIREWALLS CONSIDERED HARMFUL

Some firewalls have a hiding mechanism they call stealth. ... In
stealth mode, the firewall causes the PC just to ignore incoming
connection attempts, rather than rejecting them, as would be normal
for incoming connection attempts to closed ports.

.... causes some difficulties. For a start, Internet standard RFC 1122
states categorically about ICMP Echoes (ping):

"3.2.2.6 Echo Request/Reply: RFC-792. Every
host MUST implement an ICMP Echo server function
that receives Echo Requests and sends
corresponding Echo Replies."

So you are strongly advised not to apply stealth techniques to the
ICMP protocol.

A commonly heard objection to allowing ICMP Echo Replies is that it
gives away information to hackers that there is a live connection on
this IP address. Such objections are not well-founded, and can be
safely ignored.

There is no evidence in practice that any hacker has been aided by
the presence of an ICMP Echo Reply.

Hackers do not typically write code that tests an address with ICMP
Echo before launching a hostile probe: they always send the hostile
probe directly: either it works or it doesn't, and information from
ICMP adds nothing to the analysis.

------------------- END QUOTE -----------------

So Should a firewall let all ICMP traffic through? Is it ok to do
that?
 
G

Guest

Guest
Archived from groups: comp.security.misc,alt.computer.security,comp.security.firewalls,uk.telecom.broadband (More info?)

In article <96D9EC61DFA1E71F3M4@66.250.146.159>, no_thanks@mail.com
says...
> My question is Should a firewall let all ICMP traffic through because
> there is no real risk if they do?

The common sense rule is to LET NOTHING IN that doesn't have a good
reason to be let in.

Why do you want to take a minimal risk if you don't have too?

--

spam999free@rrohio.com
remove 999 in order to email me
 

peter

Distinguished
Mar 29, 2004
3,226
0
20,780
Archived from groups: comp.security.misc,alt.computer.security,comp.security.firewalls,uk.telecom.broadband (More info?)

Franklin <no_thanks@mail.com> wrote:
> My question is Should a firewall let all ICMP traffic through
> because there is no real risk if they do?

No, because some ICMP messages aren't useful. However blocking all
ICMP is throwing the baby out with the bathwater and will cause more
bother than not blocking anything.

I would suggest allowing ICMP Echo and Echo Reply (so ping works),
Destination Unreachable (which includes "fragmentation required",
essential for PMTUD to work) and Time Exceeded (so traceroute works.)
Everything else looks to be fair game to drop.

While I'm suggesting firewall rules, can people also not silently drop
SYNs to port 113 please? All sorts of servers try RFC1413 lookups and
stall while waiting for a response. The firewall user is usually the
first to complain that it's taking ages to connect to a certain remote
server.

--
PGP key ID E85DC776 - finger abuse@mooli.org.uk for full key
/:.*posting.google.com.*/HX-Trace:+j
 

imhotep

Distinguished
Sep 1, 2005
8
0
18,510
Archived from groups: comp.security.misc,alt.computer.security,comp.security.firewalls,uk.telecom.broadband (More info?)

Franklin wrote:

> My question is Should a firewall let all ICMP traffic through because
> there is no real risk if they do?
>
> +++++
>
> Here is the thinking behind my question: Robin Walker's cable modem
> webpages at
> <http://homepage.ntlworld.com/robin.d.h.walker/cmtips/index.html>
> look to me as if they are technically sound. But they are a few
> years old. I would like to know what people think about the advice
> he gives about ICMP traffic and if it is still true these days.
>
> He suggests that firewalls should let all ICMP traffic through and
> that there is no real risk if they do that. At
> http://snipurl.com/hvox he writes the following section. I have cut
> it down a bit.
>
>
> ------------------- START QUOTE -----------------
>
> STEALTH-MODE FIREWALLS CONSIDERED HARMFUL
>
> Some firewalls have a hiding mechanism they call stealth. ... In
> stealth mode, the firewall causes the PC just to ignore incoming
> connection attempts, rather than rejecting them, as would be normal
> for incoming connection attempts to closed ports.
>
> ... causes some difficulties. For a start, Internet standard RFC 1122
> states categorically about ICMP Echoes (ping):
>
> "3.2.2.6 Echo Request/Reply: RFC-792. Every
> host MUST implement an ICMP Echo server function
> that receives Echo Requests and sends
> corresponding Echo Replies."
>
> So you are strongly advised not to apply stealth techniques to the
> ICMP protocol.
>
> A commonly heard objection to allowing ICMP Echo Replies is that it
> gives away information to hackers that there is a live connection on
> this IP address. Such objections are not well-founded, and can be
> safely ignored.
>
> There is no evidence in practice that any hacker has been aided by
> the presence of an ICMP Echo Reply.
>
> Hackers do not typically write code that tests an address with ICMP
> Echo before launching a hostile probe: they always send the hostile
> probe directly: either it works or it doesn't, and information from
> ICMP adds nothing to the analysis.
>
> ------------------- END QUOTE -----------------
>
> So Should a firewall let all ICMP traffic through? Is it ok to do
> that?

Some ICMPs are needed for proper TCP/UDP/IP functionality. I typically allow
icmp source quench and destination not reachables through and block
everything else (incoming)....

Imhotep
 
G

Guest

Guest
Archived from groups: alt.computer.security,comp.security.firewalls,uk.telecom.broadband,comp.security.misc (More info?)

On Thu, 22 Sep 2005 22:19:07 UTC, Leythos <void@nowhere.lan> wrote:

> In article <96D9EC61DFA1E71F3M4@66.250.146.159>, no_thanks@mail.com
> says...
> > My question is Should a firewall let all ICMP traffic through because
> > there is no real risk if they do?
>
> The common sense rule is to LET NOTHING IN that doesn't have a good
> reason to be let in.

In practice, you need to let a few ICMP messages through, then. For
example, source quench and destination unreachable.

--
[ 7'ism - a condition by which the sufferer experiences an inability
to give concise answers, express reasoned argument or opinion.
Usually accompanied by silly noises and gestures - incurable, early
euthanasia recommended. ]
 
G

Guest

Guest
Archived from groups: comp.security.misc,alt.computer.security,comp.security.firewalls,uk.telecom.broadband (More info?)

In article <433331d9$0$32652$da0feed9@news.zen.co.uk>,
Peter <abuse@dopiaza.cabal.org.uk> wrote:
:However blocking all
:ICMP is throwing the baby out with the bathwater and will cause more
:bother than not blocking anything.

"more bother" depends on whether you are being deliberately attacked
or not.


:I would suggest allowing ICMP Echo and Echo Reply (so ping works),

Typically, outsiders have no business mapping out exactly which
of your systems exist or are up right now, so dropping most incoming icmp
echo is a common security precaution. Whether to allow icmp echo
to public-facing servers varies with circumstance.

--
If you like, you can repeat the search with the omitted results included.
 
G

Guest

Guest
Archived from groups: alt.computer.security,comp.security.firewalls,uk.telecom.broadband,comp.security.misc (More info?)

In article <176uZD2KcidF-pn2-dTdiDpVF9eQ2@rikki.tavi.co.uk>,
Bob Eager <rde42@spamcop.net> wrote:
:In practice, you need to let a few ICMP messages through, then. For
:example, source quench and destination unreachable.

In practice, crackers will send you unsolicited source quenches,
either as a side effect of them DoS'ing the host with forged packets,
or else with the hope of DoS'ing you by interfering with your flow
of traffic to other locations.

In practice, you don't need to listen to source quench. If you
are sending data too quickly for a router, the router will drop
some of the traffic. If the traffic was TCP then the normal TCP
recovery mechanisms will kick in and will act to slow down your
rate of transmission. If the traffic was UDP or anything other
"unreliable" protocol, then by definition the transmissions are
expected to be unreliable so dropping the traffic should not be
important. [If it -was- important, then you shouldn't be using an
unreliable transmission protocol.]
--
Goedel's Mail Filter Incompleteness Theorem:
In any sufficiently expressive language, with any fixed set of
email filtering algorithms, there exists at least one spam message
which the algorithms are unable to filter out.
 
G

Guest

Guest
Archived from groups: alt.computer.security,comp.security.firewalls,uk.telecom.broadband,comp.security.misc (More info?)

In article <176uZD2KcidF-pn2-dTdiDpVF9eQ2@rikki.tavi.co.uk>, rde42
@spamcop.net says...
> On Thu, 22 Sep 2005 22:19:07 UTC, Leythos <void@nowhere.lan> wrote:
>
> > In article <96D9EC61DFA1E71F3M4@66.250.146.159>, no_thanks@mail.com
> > says...
> > > My question is Should a firewall let all ICMP traffic through because
> > > there is no real risk if they do?
> >
> > The common sense rule is to LET NOTHING IN that doesn't have a good
> > reason to be let in.
>
> In practice, you need to let a few ICMP messages through, then. For
> example, source quench and destination unreachable.

Wrong, you don't NEED to allow anything. You may FEEL that you do, but
we've got almost 100 networks that don't allow ICMP or anything else
inbound and they work just fine, and we'll not change them.

--

spam999free@rrohio.com
remove 999 in order to email me
 
G

Guest

Guest
Archived from groups: comp.security.misc,alt.computer.security,comp.security.firewalls,uk.telecom.broadband (More info?)

In article <433331d9$0$32652$da0feed9@news.zen.co.uk>,
abuse@dopiaza.cabal.org.uk says...
> Franklin <no_thanks@mail.com> wrote:
> > My question is Should a firewall let all ICMP traffic through
> > because there is no real risk if they do?
>
> No, because some ICMP messages aren't useful. However blocking all
> ICMP is throwing the baby out with the bathwater and will cause more
> bother than not blocking anything.
>
> I would suggest allowing ICMP Echo and Echo Reply (so ping works),
> Destination Unreachable (which includes "fragmentation required",
> essential for PMTUD to work) and Time Exceeded (so traceroute works.)
> Everything else looks to be fair game to drop.
>
> While I'm suggesting firewall rules, can people also not silently drop
> SYNs to port 113 please? All sorts of servers try RFC1413 lookups and
> stall while waiting for a response. The firewall user is usually the
> first to complain that it's taking ages to connect to a certain remote
> server.

There is NO BOTHER - you set the rules and then let them work. You don't
need to allow PING, in fact why the heck would you want to allow PING,
it's not like it's a valid test that your network is alive - we've got
tons of commercial networks that block PING and none of the users even
notice.

Allowing anything inbound, even to the firewall, that doesn't
specifically need to be let in is a bad move.

Allowing in minimal traffic that "might" not be a threat is like
trusting Windows Firewall with File/Printer sharing enabled on a
computer directly connected to the Internet with all of your financial
data stored on it in a text file that is name "ALL MY FINANCIAL
DATA.TXT" sitting in the root.

--

spam999free@rrohio.com
remove 999 in order to email me
 

imhotep

Distinguished
Sep 1, 2005
8
0
18,510
Archived from groups: comp.security.misc,alt.computer.security,comp.security.firewalls,uk.telecom.broadband (More info?)

Leythos wrote:

> In article <433331d9$0$32652$da0feed9@news.zen.co.uk>,
> abuse@dopiaza.cabal.org.uk says...
>> Franklin <no_thanks@mail.com> wrote:
>> > My question is Should a firewall let all ICMP traffic through
>> > because there is no real risk if they do?
>>
>> No, because some ICMP messages aren't useful. However blocking all
>> ICMP is throwing the baby out with the bathwater and will cause more
>> bother than not blocking anything.
>>
>> I would suggest allowing ICMP Echo and Echo Reply (so ping works),
>> Destination Unreachable (which includes "fragmentation required",
>> essential for PMTUD to work) and Time Exceeded (so traceroute works.)
>> Everything else looks to be fair game to drop.
>>
>> While I'm suggesting firewall rules, can people also not silently drop
>> SYNs to port 113 please? All sorts of servers try RFC1413 lookups and
>> stall while waiting for a response. The firewall user is usually the
>> first to complain that it's taking ages to connect to a certain remote
>> server.
>
> There is NO BOTHER - you set the rules and then let them work. You don't
> need to allow PING, in fact why the heck would you want to allow PING,
> it's not like it's a valid test that your network is alive - we've got
> tons of commercial networks that block PING and none of the users even
> notice.
>
> Allowing anything inbound, even to the firewall, that doesn't
> specifically need to be let in is a bad move.
>
> Allowing in minimal traffic that "might" not be a threat is like
> trusting Windows Firewall with File/Printer sharing enabled on a
> computer directly connected to the Internet with all of your financial
> data stored on it in a text file that is name "ALL MY FINANCIAL
> DATA.TXT" sitting in the root.
>

LOL...

Imhotep
 
G

Guest

Guest
Archived from groups: comp.security.misc,alt.computer.security,comp.security.firewalls,uk.telecom.broadband (More info?)

"Leythos" <void@nowhere.lan> wrote in message
news:MPG.1d9d059680e4dd98a0fd@news-server.columbus.rr.com...
> In article <433331d9$0$32652$da0feed9@news.zen.co.uk>,
> abuse@dopiaza.cabal.org.uk says...
> > Franklin <no_thanks@mail.com> wrote:
> > > My question is Should a firewall let all ICMP traffic through
> > > because there is no real risk if they do?

<snip>

> You don't
> need to allow PING, in fact why the heck would you want to allow PING,
> it's not like it's a valid test that your network is alive - we've got
> tons of commercial networks that block PING and none of the users even
> notice.

Undoubtedly the case. Although one could quote lots of instances where it's
been damned useful.

Well, *I* certainly can - usually when the web server has had a bit of a
funny turn, and one needs to tell if it's the server behind the firewall
(fat chance of fixing something from an adjacent continent), or whether it's
the ISP playing silly buggers with the connection (marginally more hope of
getting something sorted).

As goes firewalls - I'm sure that most have already seen it, but:
http://www.dilbert.com/comics/dilbert/archive/images/dilbert2813960050912.gif

--

Hairy One Kenobi

Disclaimer: the opinions expressed in this opinion do not necessarily
reflect the opinions of the highly-opinionated person expressing the opinion
in the first place. So there!
 
G

Guest

Guest
Archived from groups: comp.security.misc,alt.computer.security,comp.security.firewalls,uk.telecom.broadband (More info?)

In article <KpHYe.4417$_56.2350@newsfe1-win.ntli.net>, abuse@[127.0.0.1]
says...
> "Leythos" <void@nowhere.lan> wrote in message
> news:MPG.1d9d059680e4dd98a0fd@news-server.columbus.rr.com...
> > In article <433331d9$0$32652$da0feed9@news.zen.co.uk>,
> > abuse@dopiaza.cabal.org.uk says...
> > > Franklin <no_thanks@mail.com> wrote:
> > > > My question is Should a firewall let all ICMP traffic through
> > > > because there is no real risk if they do?
>
> <snip>
>
> > You don't
> > need to allow PING, in fact why the heck would you want to allow PING,
> > it's not like it's a valid test that your network is alive - we've got
> > tons of commercial networks that block PING and none of the users even
> > notice.
>
> Undoubtedly the case. Although one could quote lots of instances where it's
> been damned useful.
>
> Well, *I* certainly can - usually when the web server has had a bit of a
> funny turn, and one needs to tell if it's the server behind the firewall
> (fat chance of fixing something from an adjacent continent), or whether it's
> the ISP playing silly buggers with the connection (marginally more hope of
> getting something sorted).
>
> As goes firewalls - I'm sure that most have already seen it, but:
> http://www.dilbert.com/comics/dilbert/archive/images/dilbert2813960050912.gif

Funny, I don't expose our servers to Ping, and I seem to be able to
monitor them all the time. If I need to expose PING to an external
source I expose it to a specific IP and block all others.

If I have to manage a server, I only allow VPN access inbound to the
firewall it self and use a different password/user than I use for the
server.

Ping is only good when you don't know what else is available and how to
secure it from the public. There is no reason to allow open access to
ICMP or anything else that doesn't have a specific business need (like
HTTP/SSL/FTP/etc...).

--

spam999free@rrohio.com
remove 999 in order to email me
 
G

Guest

Guest
Archived from groups: comp.security.firewalls,uk.telecom.broadband,comp.security.misc,alt.computer.security (More info?)

On Thu, 22 Sep 2005 23:13:55 UTC, Leythos <void@nowhere.lan> wrote:

> > In practice, you need to let a few ICMP messages through, then. For
> > example, source quench and destination unreachable.
>
> Wrong, you don't NEED to allow anything. You may FEEL that you do, but
> we've got almost 100 networks that don't allow ICMP or anything else
> inbound and they work just fine, and we'll not change them.

You're wrong. But that's fine. You just carry on.

--
[ 7'ism - a condition by which the sufferer experiences an inability
to give concise answers, express reasoned argument or opinion.
Usually accompanied by silly noises and gestures - incurable, early
euthanasia recommended. ]
 
G

Guest

Guest
Archived from groups: comp.security.firewalls,uk.telecom.broadband,comp.security.misc,alt.computer.security (More info?)

In article <176uZD2KcidF-pn2-yKJP7XquDBiB@rikki.tavi.co.uk>, rde42
@spamcop.net says...
> On Thu, 22 Sep 2005 23:13:55 UTC, Leythos <void@nowhere.lan> wrote:
>
> > > In practice, you need to let a few ICMP messages through, then. For
> > > example, source quench and destination unreachable.
> >
> > Wrong, you don't NEED to allow anything. You may FEEL that you do, but
> > we've got almost 100 networks that don't allow ICMP or anything else
> > inbound and they work just fine, and we'll not change them.
>
> You're wrong. But that's fine. You just carry on.

Then, when we're running along for the last few years, blocking all ICMP
inbound and at the firewall, what are we denying ourselves?

It seems that our networks work, that we can VPN into the office just
fine, etc...

It seems that all of our dedicated IPSec tunnels to partners work fine,
it seems that our systems with web servers, OWA services, etc.. all work
just fine.....

--

spam999free@rrohio.com
remove 999 in order to email me
 

mark

Distinguished
Mar 30, 2004
2,613
0
20,780
Archived from groups: comp.security.firewalls,uk.telecom.broadband,comp.security.misc,alt.computer.security (More info?)

<jameshanley39@yahoo.co.uk> wrote in message
news:1127439270.085843.66150@z14g2000cwz.googlegroups.com...
> and they'd still work fine if you allowed ICMPs. If allowing ICMPs
> were dangerous then alarms would've been sent off long ago. ICMP has
> been aroudn for ages, there are no new developments to the ICMP
> protocol. People that know all about how it works also know of no
> alarms saying it can be attacked. People that know ICMP presumably
> allow it because they know it's as dangerous as moving an icon slightly
> (which might be very scary for a middle aged woman). (though against
> me, perhaps an OS may rewrite teh part that repsonds to ICMP and there
> might be an exploit in their code, but similarly there may be an
> exploit in their code that is rejecting ICMP)
>
> As that article argued, besides breaking RFCs and breaking the
> protocols,
>
> Besides all those arguments in the article and the technical problems
> with not responding to ICMP (just because your setup doesn't include
> situations where you'll run into the problems, does not mean the
> problems do not exist).
>
> Suppose you want to know if a computer is online. A safe way is to ping
> it. you don't want to set up a service running on the computer and
> conect to it. ping tests that other comps can communicate with the
> comp. it's a necessary diagnostic test. What's the alternative?
> user makes an outgoing connection? suppose he can't for some reason.
> you want to know if he is online
>
> ping is a very convenient diagnostic tool.
>

Yes it is, ever heard of PING NMAP?

Google it and security and firewalls.
 
G

Guest

Guest
Archived from groups: comp.security.misc,alt.computer.security,comp.security.firewalls,uk.telecom.broadband (More info?)

Franklin wrote:

> My question is Should a firewall let all ICMP traffic through because
> there is no real risk if they do?
> [...]
> ------------------- START QUOTE -----------------
>
> STEALTH-MODE FIREWALLS CONSIDERED HARMFUL
> [...]
> So Should a firewall let all ICMP traffic through?

No.

> Is it ok to do that?

No. While the example you quoted from the web page is still correct and
there is nothing wrong with echo request and echo reply and the various
destination unreachable messages the are other icmp messages that should be
filted.

http://seclists.org/lists/bugtraq/2005/May/0122.html

Wolfgang
 

imhotep

Distinguished
Sep 1, 2005
8
0
18,510
Archived from groups: comp.security.firewalls,uk.telecom.broadband,comp.security.misc,alt.computer.security (More info?)

Leythos wrote:

> In article <176uZD2KcidF-pn2-yKJP7XquDBiB@rikki.tavi.co.uk>, rde42
> @spamcop.net says...
>> On Thu, 22 Sep 2005 23:13:55 UTC, Leythos <void@nowhere.lan> wrote:
>>
>> > > In practice, you need to let a few ICMP messages through, then. For
>> > > example, source quench and destination unreachable.
>> >
>> > Wrong, you don't NEED to allow anything. You may FEEL that you do, but
>> > we've got almost 100 networks that don't allow ICMP or anything else
>> > inbound and they work just fine, and we'll not change them.
>>
>> You're wrong. But that's fine. You just carry on.
>
> Then, when we're running along for the last few years, blocking all ICMP
> inbound and at the firewall, what are we denying ourselves?
>
> It seems that our networks work, that we can VPN into the office just
> fine, etc...
>
> It seems that all of our dedicated IPSec tunnels to partners work fine,
> it seems that our systems with web servers, OWA services, etc.. all work
> just fine.....
>

Honestly, you CAN block all ICMP types, however, it is not optimal. Some
ICMPS are in fact needed for normal TCP/UDP/IP operations (well, efficient
anyway)....ie without flow control, it will appear that things are
"hanging" equating to those nasty users saying the "network is slow"...when
in fact the host has not been informed to slow itself down and as such will
keep on sending packets (which are only being dropped and retransmitted yet
all over again)


Summary: In my opinion, allow a few ICMPS (source quench, and the misc
unreachables) and deny everything else (incoming)....

Just my opinion though,
Imhotep
 
G

Guest

Guest
Archived from groups: comp.security.firewalls,uk.telecom.broadband,comp.security.misc,alt.computer.security (More info?)

In comp.security.firewalls Mark <nothere@notthere.com> wrote:
>
>
> Yes it is, ever heard of PING NMAP?
>
> Google it and security and firewalls.
>

or PING of Death?

--
Consultants are mystical people who ask a company for a number and then
give it back to them.

MSN/Mail: pboosten at hotmail dot com
 
G

Guest

Guest
Archived from groups: comp.security.misc,alt.computer.security,comp.security.firewalls,uk.telecom.broadband (More info?)

Peter wrote:
> Franklin <no_thanks@mail.com> wrote:
>
>>My question is Should a firewall let all ICMP traffic through
>>because there is no real risk if they do?
>
>
> No, because some ICMP messages aren't useful. However blocking all
> ICMP is throwing the baby out with the bathwater and will cause more
> bother than not blocking anything.
>
> I would suggest allowing ICMP Echo and Echo Reply (so ping works),
> Destination Unreachable (which includes "fragmentation required",
> essential for PMTUD to work) and Time Exceeded (so traceroute works.)
> Everything else looks to be fair game to drop.

But a decent firewall will be stateful - so eg outbound ping will enable
the reply to be received. No-one 'out there' has any business pinging
me so they don't get to do it.

I am well aware it's against the rules, but I block all unsolicited
inbound icmp - never noticed any problems. I'm afraid the rfc's were
drawn up in a less dangerous internet age :-(

>
> While I'm suggesting firewall rules, can people also not silently drop
> SYNs to port 113 please? All sorts of servers try RFC1413 lookups and
> stall while waiting for a response. The firewall user is usually the
> first to complain that it's taking ages to connect to a certain remote
> server.
>
Agreed. A real pain for some smtp servers in particular. My firewall
just sends a reset.

--
Please use the corrected version of the address below for replies.
Replies to the header address will be junked, as will mail from
various domains listed at www.scottsonline.org.uk
Mike Scott Harlow Essex England.(unet -a-t- scottsonline.org.uk)
 
G

Guest

Guest
Archived from groups: comp.security.firewalls,uk.telecom.broadband,comp.security.misc,alt.computer.security (More info?)

In article <1127439270.085843.66150@z14g2000cwz.googlegroups.com>,
jameshanley39@yahoo.co.uk says...
> Leythos wrote:
> > In article <176uZD2KcidF-pn2-yKJP7XquDBiB@rikki.tavi.co.uk>, rde42
> > @spamcop.net says...
> > > On Thu, 22 Sep 2005 23:13:55 UTC, Leythos <void@nowhere.lan> wrote:
> > >
> > > > > In practice, you need to let a few ICMP messages through, then. For
> > > > > example, source quench and destination unreachable.
> > > >
> > > > Wrong, you don't NEED to allow anything. You may FEEL that you do, but
> > > > we've got almost 100 networks that don't allow ICMP or anything else
> > > > inbound and they work just fine, and we'll not change them.
> > >
> > > You're wrong. But that's fine. You just carry on.
> >
> > Then, when we're running along for the last few years, blocking all ICMP
> > inbound and at the firewall, what are we denying ourselves?
> >
> > It seems that our networks work, that we can VPN into the office just
> > fine, etc...
> >
> > It seems that all of our dedicated IPSec tunnels to partners work fine,
> > it seems that our systems with web servers, OWA services, etc.. all work
> > just fine.....
> >
> > --
>
> and they'd still work fine if you allowed ICMPs. If allowing ICMPs
> were dangerous then alarms would've been sent off long ago. ICMP has
> been aroudn for ages, there are no new developments to the ICMP
> protocol. People that know all about how it works also know of no
> alarms saying it can be attacked.
[snip]

So, you're saying that it doesn't break any functionality that we use to
block it, so we should allow it because the designers of it are almost
positive that there is no exploit for it, but, since it's not going to
hurt anything that even though I don't need it, I should allow it, even
though I don't need it......

If I don't need it I don't allow it - it's a very simple matter of
security - never expose anything that you don't need to expose.

--

spam999free@rrohio.com
remove 999 in order to email me
 

Mike

Splendid
Apr 1, 2004
3,865
0
22,780
Archived from groups: comp.security.misc,alt.computer.security,comp.security.firewalls,uk.telecom.broadband (More info?)

On 22 Sep 2005 22:36:09 GMT, abuse@dopiaza.cabal.org.uk (Peter) wrote:

>I would suggest allowing ICMP Echo and Echo Reply (so ping works),


Be sure to deny Echo Request that is sent to the broadcast address for
your subnet (.255 and .0 for /24 subnets). If a malicious person
sends several hundred of those per second, you'll wind up with a lot
of ICMP traffic on your subnet as each host tries to send back the
reply.
 
G

Guest

Guest
Archived from groups: comp.security.misc,comp.security.firewalls (More info?)

In comp.security.firewalls Franklin <no_thanks@mail.com> wrote:
> My question is Should a firewall let all ICMP traffic through because
> there is no real risk if they do?

It does not need to let _all_ ICMP traffic through. But it would be a
good idea not to deny every ICMP traffic.

It is a good idea to allow at least ICMP messages of the
types 0, 3, 4, 8, 11, 12, see RFC 792.

F'up2 comp.security.firewalls.

Yours,
VB.
--
"Es kann nicht sein, dass die Frustrierten in Rom bestimmen, was in
deutschen Schlafzimmern passiert".
Harald Schmidt zum "Weltjugendtag"
 

peter

Distinguished
Mar 29, 2004
3,226
0
20,780
Archived from groups: comp.security.misc,alt.computer.security,comp.security.firewalls,uk.telecom.broadband (More info?)

Mike Scott <usenet.9@spam.stopper.scottsonline.org.uk> wrote:
[...]
> But a decent firewall will be stateful - so eg outbound ping will
> enable the reply to be received. No-one 'out there' has any business
> pinging me so they don't get to do it.

That's your local policy, but not mine. I allow some remote sites to
ping me as part of mutual reachability testing.

> I am well aware it's against the rules, but I block all unsolicited
> inbound icmp - never noticed any problems. I'm afraid the rfc's were
> drawn up in a less dangerous internet age :-(

You block Destination Unreachable as well?

--
The poverty from which I have suffered could be diagnosed as "Soho" poverty. It
comes from having the airs and graces of a genius and no talent.
- Quentin Crisp
 
G

Guest

Guest
Archived from groups: comp.security.misc,comp.security.firewalls (More info?)

In comp.security.firewalls jameshanley39@yahoo.co.uk wrote:
> it is my understanding that stealthing ports has absolutely nothing to
> do with ICMP.

Oh yes, it has. Please read RFC 792, or just read <43088aac@news.uni-ulm.de>

F'up2 comp.security.firewalls

Yours,
VB.
--
"Es kann nicht sein, dass die Frustrierten in Rom bestimmen, was in
deutschen Schlafzimmern passiert".
Harald Schmidt zum "Weltjugendtag"
 

Speeder

Distinguished
Oct 3, 2002
25
0
18,530
Archived from groups: comp.security.firewalls (More info?)

On 23 Sep 2005 12:27:46 +0200, Volker Birk <bumens@dingens.org> wrote:

>In comp.security.firewalls Franklin <no_thanks@mail.com> wrote:
>> My question is Should a firewall let all ICMP traffic through because
>> there is no real risk if they do?
>
>It does not need to let _all_ ICMP traffic through. But it would be a
>good idea not to deny every ICMP traffic.
>
>It is a good idea to allow at least ICMP messages of the
>types 0, 3, 4, 8, 11, 12, see RFC 792.

Thank you. Finally a straight answer.