Re: Proper Way to Pass ICMP Through Firewall-1?

From: Wolfgang Zweimueller (wzwei_at_gmx.at)
Date: 04/29/05

• Next message: Jason Edwards: "Re: is Zone allam locking up?"
• Previous message: MikeS: "Re: is Zone allam locking up?"
• In reply to: Will: "Re: Proper Way to Pass ICMP Through Firewall-1?"
• Next in thread: Will: "Re: Proper Way to Pass ICMP Through Firewall-1?"
• Reply: Will: "Re: Proper Way to Pass ICMP Through Firewall-1?"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

---

Date: Fri, 29 Apr 2005 08:58:21 +0200

"Will" <DELETE_westes@earthbroadcast.com> writes:

> It ended up being a routing problem on the target device.
>
> And I *did* need to have two symmetric rules on the firewall, authorizing
> the transit of ICMP packets in both directions. For whatever reason, the
> firewall was not maintaining stateful inspection of ICMP, unlike other
> protocols.

Because there is no such thing like stateful filtering of ICMP. Well
there are some cases where you can think of stateful handling
(echo-request and echo-reply) but not in general. And if you want to
filter ICMP correctly you have to have knowledge about ICMP.

<flame mode>
ICMP is a major problem in most firewall appliances nowadays. E.g. the
Linksys WRT-boxes are very nice (and cheap), but you are unable to
handle ICMP properly. For me that is the main reason to remove the
Linksys firmware and install Openwrt.

I have seen so many bad or useless packet filters that makes me
believe that none of the implementors knows nothing about ICMP. That's
a nightmare.

</flame mode>

OTOH, Check Point is an exception and the way they allow you to handle
ICMP is O.K. for me.

cu,
Wolfgang

---

• Next message: Jason Edwards: "Re: is Zone allam locking up?"
• Previous message: MikeS: "Re: is Zone allam locking up?"
• In reply to: Will: "Re: Proper Way to Pass ICMP Through Firewall-1?"
• Next in thread: Will: "Re: Proper Way to Pass ICMP Through Firewall-1?"
• Reply: Will: "Re: Proper Way to Pass ICMP Through Firewall-1?"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

---

Relevant Pages Re: Ping works, traceroute doesnt ... >> ICMP works but UDP doesn't? ... > There are plenty of reason for which a traceroute might not display ... I have had to have a bit of a fight with firewall admins in the past to ... (comp.os.linux.networking) Re: ipfw -- why need to let icmp out that I already let in? ... You need both in and out rules for ICMP because the logical responses to ... packets can't be reliably connected into a single communication. ... True, ICMP is not a stateful protocol; ... (freebsd-questions) Re: ipfw -- why need to let icmp out that I already let in? ... In the last episode, Ivan Voras said: ... I don't think ICMP is stateful:) ... You need both in and out rules for ICMP because the logical responses ... (freebsd-questions) Re: ipfw -- why need to let icmp out that I already let in? ... I don't think ICMP is stateful:) ... You need both in and out rules for ICMP because the logical responses to ... packets can't be reliably connected into a single communication. ... (freebsd-questions) Re: Strange PPPoe problem ... The new service uses PPPoe - not a problem, or so I thought - I ... have PPPoe on my firewall. ... And if I do PPPoe on the provided D-Link router, ... like icmp 3/4 packets are being dropped somewhere. ... (Debian-User)

---

• Security
• UNIX
• Linux
• Coding
• Usenet

• News
• Mailing-Lists
• Newsgroups
• Service
• About
• Privacy
• Search
• Imprint

www.derkeiler.com  > Newsgroups  > comp.security.firewalls  > 2005-04