Carric is right. The appropriate firewall paradigm is to block EVERYTHING as a first step. Then allow what you need. This does not apply to only ICMP, it applies to all protocols- period. Plug in a Sniffer on the wire at both the untrusted and the trusted interfaces. What protocols are in use on your network now? Do you need them? Why enable a possible problem that exists with a protocol or an app that you don't even use? Plan your installation accordingly. Configure your firewall in parallel with your existing gateway. Schedule downtime for the cutover. Keep your Sniffer handy to troubleshoot. Above all remember that firewalls are not easy- it takes knowledge of mail, DNS, routing, TCP, IP, UDP, OS's, you get the picture. Take it easy on yourself if you don't know everything at once. Time and experience will take care of it. Good luck MJ -----Original Message----- From: Carric Dooley [mailto:carricat_private] Sent: Friday, January 14, 2000 9:02 AM To: wwebbat_private; firewall-wizardsat_private Subject: Re: Blocking ICMP with ipchains -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 That is kind of the opposite way to look at it... Block ALL ICMP and then allow: echo reply source quench destination unreachable (and time exceeded if you use traceroute a lot) This just let's a response come back when you ping a host, lets routers tell you you are sending too much traffic and that your destination is unreachable, and the Time Exceeded I left open to get responses when doing a traceroute. Carric Dooley Network Security Consultant "A little inaccuracy sometimes saves a ton of explanation. " - - H. H. Munro (Saki) (1870-1916) - ----- Original Message ----- From: <wwebbat_private> To: <firewall-wizardsat_private> Sent: Tuesday, January 11, 2000 7:18 PM Subject: Blocking ICMP with ipchains > I've heard that it is not wise to block all ICMP operations. Such > being the case, which of these ICMP operations are safe to block > without causing serious problems: > > echo-reply (pong) > destination-unreachable > network-unreachable > host-unreachable > protocol-unreachable > port-unreachable > fragmentation-needed > source-route-failed > network-unknown > host-unknown > network-prohibited > host-prohibited > TOS-network-unreachable > TOS-host-unreachable > communication-prohibited > host-precedence-violation > precedence-cutoff > source-quench > redirect > network-redirect > host-redirect > TOS-network-redirect > TOS-host-redirect > echo-request (ping) > router-advertisement > router-solicitation > time-exceeded (ttl-exceeded) > ttl-zero-during-transit > ttl-zero-during-reassembly > parameter-problem > ip-header-bad > required-option-missing > timestamp-request > timestamp-reply > address-mask-request > address-mask-reply > > Thanks for any assistance. > -----BEGIN PGP SIGNATURE----- Version: PGPfreeware 6.5.1 for non-commercial use <http://www.pgp.com> iQA/AwUBOH9WheuEoPqp8SMeEQJO2QCgj7yC219XFbuUBGuWbQp1E7hX8ywAoMsW UzFROSC1kouTn7ca8+wHQnCH =BU8q -----END PGP SIGNATURE-----
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 13:58:12 PDT