Hi Frederic,
> Although I _could_ agree as far as a firewalls are concerned, I don't
> when it comes to routers.
> Blocking/droping any ICMP packet usually turns into a real nightmare
> when you've to perform troubleshooting on a wide network.
Please don't spread the word that ICMP only is for troubleshooting
networks. ICMP has it's uses beside "PING", the most important one
being "Path-MTU-Discovery" which will break when filtering all
ICMP packets! [1]
There is a really frightening number of clueless admins which misconfigure
their firewalls this way!
Chris
[1] the canonical example being a webserver behind a firewall which blocks
all ICMP packets. If the webserver has path-mtu-discovery enabled the
following will happen when you (as a client) are sitting behind a
smaller-than-ethernet-mtu link (PPPoE DSL or Tunnel for example):
1.) www-server sends data-packet (as much as the local ethernet permits)
to client
2.) a router between server and client will drop this packet because:
- the link MTU (PPPoE, Tunnel) is too small
- the packet has it's "don't fragment" bit set (because of
the webserver trying path-mtu-discovery)
2b) the router will send a ICMP-fragmentatin-needed-but-DF-set message
to the webserver
3.) the firewall in front of the webserver drops this packet
4.) the webserver will never be informed that his packets are
too large and will try to send too large packets which never
reach the client.
--
And remember - if it ain't broke, hit it again. -- Foon
----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management
and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Tue Feb 04 2003 - 14:14:53 PST