Re: Ok to let all ICMP traffic through firewall?
From: Peter (abuse_at_dopiaza.cabal.org.uk)
Date: 22 Sep 2005 22:36:09 GMT
Franklin <firstname.lastname@example.org> wrote:
> My question is Should a firewall let all ICMP traffic through
> because there is no real risk if they do?
No, because some ICMP messages aren't useful. However blocking all
ICMP is throwing the baby out with the bathwater and will cause more
bother than not blocking anything.
I would suggest allowing ICMP Echo and Echo Reply (so ping works),
Destination Unreachable (which includes "fragmentation required",
essential for PMTUD to work) and Time Exceeded (so traceroute works.)
Everything else looks to be fair game to drop.
While I'm suggesting firewall rules, can people also not silently drop
SYNs to port 113 please? All sorts of servers try RFC1413 lookups and
stall while waiting for a response. The firewall user is usually the
first to complain that it's taking ages to connect to a certain remote
-- PGP key ID E85DC776 - finger email@example.com for full key /:.*posting.google.com.*/HX-Trace:+j