Re: [fw-wiz] How automate firewall tests

For starters, I do have to agree that allowing ICMP is a mistake on a "good"
firewall... ICMP is the best way to determine the internal structure of a
private network. I'm sure I'm not mentioning other reasons why allowing
ICMP is bad, but one should be enough for that point; I'll let others
elaborate if needed.

Also, I was reading up on PMTUD and, from what I can see, all it does is aim
to avoid fragmentation by plotting the shortest path from one point to
another, thus preventing the packet from degrading. However, this makes me
raise two questions, the second of which I am more sure about than the
first: (1) Isn't PMTUD something that can be rendered unneeded by using
port forwarding and static routes for traffic destined for each collision
domain? I mean, yeah, it probably means more work for the person
administering the network, but is it not possible to just use some common
sense in creating the routing table? (2) If PMTUD is such a big concern as
to make someone wish to allow ICMP, then why not just block certain types of
ICMP packets using an access-list?

Isaac Van Name

-----Original Message-----
From: firewall-wizards-bounces@xxxxxxxxxxxxxxxxxxxxx
[mailto:firewall-wizards-bounces@xxxxxxxxxxxxxxxxxxxxx] On Behalf Of Patrick
M. Hausen
Sent: Monday, August 21, 2006 3:11 AM
To: Firewall Wizards Security Mailing List
Subject: Re: [fw-wiz] How automate firewall tests

Hi, all!

On Fri, Aug 18, 2006 at 10:26:53AM -0700, Shahin Ansari wrote:

The doco above says no good firewall should allowe ICMP, ...

Then this document is plainly wrong, IMHO. Which one were you
referring to?

Blocking ICMP completely breaks PMTUD. Which leads to all
sorts of "funny" breakage from the end users point of view.

-- GmbH Internet - Dienstleistungen - Beratung
Vorholzstr. 25 Tel. 0721 9109 -0 Fax: -100
76137 Karlsruhe
firewall-wizards mailing list

firewall-wizards mailing list

Relevant Pages

  • Re: Removing ping/icmp from a network
    ... "Many "security" devices incorrectly block all ICMP messages, including the errors that are necessary for PMTUD to work. ... Some implementations of PMTUD now try to work around this by inferring that large payload packets have been dropped due to MTU rather than because of link congestion. ...
  • Re: bestimmte Webseiten nicht mehr erreichbar
    ... Betrachtung): PMTUD Selbst-Sabotage auf Serverseite. ... Die Webserver werden vor poesen ICMP Paketen "geschuetzt", ... macht sich der Idiot, der die Server betreibt, damit IP kaputt. ...
  • Re: cloned routes without path mtu discovery ?
    ... > haven't disabled the apropriate bits of ICMP on your mandatory firewall. ... The misconfiguration is either local, which can be fixed by sysadmin, ... problem should be found and corrected rather than disabling pmtud, ...
  • Re: cloned routes without path mtu discovery ?
    ... > connectivity failure. ... Then just leave PMTUD on and MAKE SURE you ... haven't disabled the apropriate bits of ICMP on your mandatory firewall. ... accidentally block too much ICMP. ...
  • Re: network problems 7.0-p3: sendto: Operation not permitted
    ... I believe that fix was also just for TCP. ... This indicates a high number of ICMP packets being received. ... This is normal behaviour for a cable modem network; ...