Re: Safe ICMP Types?

From: Alan Strassberg (alan_at_internal.wj.com)
Date: 01/21/04

• Next message: Mike: "Linux firewall questions"
• Previous message: Dave: "LiveUpdate not working"
• In reply to: Jess: "Safe ICMP Types?"
• Next in thread: Rheem: "Re: Safe ICMP Types?"
• Reply: Rheem: "Re: Safe ICMP Types?"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

---

Date: 21 Jan 2004 12:11:13 -0800

In article <buk53e$j15n5$1@ID-203900.news.uni-berlin.de>,
Jess <Jess_727@yahoo.com> wrote:
>What ICMP types can I safely let in and out of my PC without degrading
>performance?

        I think this discussion is missing some important ICMP types.
        ICMP is a critical part of tcp/ip and only allowing types 8
        (echo request) and 0 (echo reply) are missing type 3 (Destination
        Unreachable).

        The NSA (National Security Agency) recommends:

        deny icmp any any echo
        deny icmp any any redirect
        deny icmp any any mask-request
        permit icmp any
        (allow pings where needed obviously)

        http://www.nsa.gov/snac/index.html
        (page 89 of the Cisco Security Guide)

        ICMP type 3 is necessary to support Path MTU.

        http://www.networksorcery.com/enp/protocol/icmp/msg3.htm
        By blocking ICMP you are crippling tcpip.

                                        alan

---

• Next message: Mike: "Linux firewall questions"
• Previous message: Dave: "LiveUpdate not working"
• In reply to: Jess: "Safe ICMP Types?"
• Next in thread: Rheem: "Re: Safe ICMP Types?"
• Reply: Rheem: "Re: Safe ICMP Types?"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

• Security
• UNIX
• Linux
• Coding
• Usenet

• News
• Mailing-Lists
• Newsgroups
• Service
• About
• Privacy
• Search
• Imprint

www.derkeiler.com  > Newsgroups  > comp.security.firewalls  > 2004-01