Re: Ok to let all ICMP traffic through firewall?

From: Peter (abuse_at_dopiaza.cabal.org.uk)
Date: 09/23/05


Date: 22 Sep 2005 22:36:09 GMT

Franklin <no_thanks@mail.com> wrote:
> My question is Should a firewall let all ICMP traffic through
> because there is no real risk if they do?

No, because some ICMP messages aren't useful. However blocking all
ICMP is throwing the baby out with the bathwater and will cause more
bother than not blocking anything.

I would suggest allowing ICMP Echo and Echo Reply (so ping works),
Destination Unreachable (which includes "fragmentation required",
essential for PMTUD to work) and Time Exceeded (so traceroute works.)
Everything else looks to be fair game to drop.

While I'm suggesting firewall rules, can people also not silently drop
SYNs to port 113 please? All sorts of servers try RFC1413 lookups and
stall while waiting for a response. The firewall user is usually the
first to complain that it's taking ages to connect to a certain remote
server.

-- 
PGP key ID E85DC776 - finger abuse@mooli.org.uk for full key
/:.*posting.google.com.*/HX-Trace:+j


Relevant Pages

  • Re: AD what tcp/ip port or registry settings?
    ... ICMP packets over a given size and/or you might have other devices setup to ... point to the same DNS servers) ... >> We have our domains controlers behind the firewall. ... >> OPENED PORTS ON THE FIREWALL seperating clients and servers. ...
    (microsoft.public.windows.server.active_directory)
  • Re: Strange PPPoe problem
    ... The new service uses PPPoe - not a problem, or so I thought - I ... have PPPoe on my firewall. ... And if I do PPPoe on the provided D-Link router, ... like icmp 3/4 packets are being dropped somewhere. ...
    (Debian-User)
  • Re: network problems 7.0-p3: sendto: Operation not permitted
    ... This usually indicates firewall rules on the local machine, ... This indicates a high number of ICMP packets being received. ... 1 into my cable modem and nother into a linksys 16port vpn router. ... 01:47:12.196000 arp who-has 181.131.216.67.181.static.hargray.net tell ...
    (freebsd-stable)
  • Re: ICMP timestamp request is allowed from arbitrary hosts
    ... There is no registry entry that specifically blocks individual ICMP types on ... enable the Windows Firewall on the XP machines and configure the rules to do ... Point is Windows XP has the ...
    (microsoft.public.windowsxp.security_admin)
  • Re: Am I being hacked?
    ... > incoming TCP packets are 'Allowed' on those ports. ... The term "stealth" is misleading. ... The online services that claim to test your firewall can be misleading ... but block normal ICMP echo requests. ...
    (comp.security.firewalls)