Re: Ok to let all ICMP traffic through firewall?

From: Peter (abuse_at_dopiaza.cabal.org.uk)
Date: 09/23/05


Date: 22 Sep 2005 22:36:09 GMT

Franklin <no_thanks@mail.com> wrote:
> My question is Should a firewall let all ICMP traffic through
> because there is no real risk if they do?

No, because some ICMP messages aren't useful. However blocking all
ICMP is throwing the baby out with the bathwater and will cause more
bother than not blocking anything.

I would suggest allowing ICMP Echo and Echo Reply (so ping works),
Destination Unreachable (which includes "fragmentation required",
essential for PMTUD to work) and Time Exceeded (so traceroute works.)
Everything else looks to be fair game to drop.

While I'm suggesting firewall rules, can people also not silently drop
SYNs to port 113 please? All sorts of servers try RFC1413 lookups and
stall while waiting for a response. The firewall user is usually the
first to complain that it's taking ages to connect to a certain remote
server.

-- 
PGP key ID E85DC776 - finger abuse@mooli.org.uk for full key
/:.*posting.google.com.*/HX-Trace:+j