Re: Ok to let all ICMP traffic through firewall?

From: Imhotep (Imhotep_at_nospam.net)
Date: 09/23/05 

Date: Thu, 22 Sep 2005 21:16:35 -0400

Franklin wrote:

> My question is Should a firewall let all ICMP traffic through because
> there is no real risk if they do?
>
> +++++
>
> Here is the thinking behind my question: Robin Walker's cable modem
> webpages at
> <http://homepage.ntlworld.com/robin.d.h.walker/cmtips/index.html>
> look to me as if they are technically sound. But they are a few
> years old. I would like to know what people think about the advice
> he gives about ICMP traffic and if it is still true these days.
>
> He suggests that firewalls should let all ICMP traffic through and
> that there is no real risk if they do that. At
> http://snipurl.com/hvox he writes the following section. I have cut
> it down a bit.
>
>
> ------------------- START QUOTE -----------------
>
> STEALTH-MODE FIREWALLS CONSIDERED HARMFUL
>
> Some firewalls have a hiding mechanism they call stealth. ... In
> stealth mode, the firewall causes the PC just to ignore incoming
> connection attempts, rather than rejecting them, as would be normal
> for incoming connection attempts to closed ports.
>
> ... causes some difficulties. For a start, Internet standard RFC 1122
> states categorically about ICMP Echoes (ping):
>
> "3.2.2.6 Echo Request/Reply: RFC-792. Every
> host MUST implement an ICMP Echo server function
> that receives Echo Requests and sends
> corresponding Echo Replies."
>
> So you are strongly advised not to apply stealth techniques to the
> ICMP protocol.
>
> A commonly heard objection to allowing ICMP Echo Replies is that it
> gives away information to hackers that there is a live connection on
> this IP address. Such objections are not well-founded, and can be
> safely ignored.
>
> There is no evidence in practice that any hacker has been aided by
> the presence of an ICMP Echo Reply.
>
> Hackers do not typically write code that tests an address with ICMP
> Echo before launching a hostile probe: they always send the hostile
> probe directly: either it works or it doesn't, and information from
> ICMP adds nothing to the analysis.
>
> ------------------- END QUOTE -----------------
>
> So Should a firewall let all ICMP traffic through? Is it ok to do
> that?

Some ICMPs are needed for proper TCP/UDP/IP functionality. I typically allow
icmp source quench and destination not reachables through and block
everything else (incoming)....

Imhotep

Relevant Pages

  • Re: ICMP Ping (redirect) blockieren !
    ... > Das ICMP ist eine gratwanderung zwischen Sicherheit und Performance. ... > funktionieren. ... Computerbild Personal Firewalls und wertet ab, ...
    (microsoft.public.de.german.win2000.networking)
  • Re: Stealth vs. Blocked
    ... > Stealth mode for some devices/software firewalls keeps both RST packet ... > responses to connection attempts and certain ICMP responses from being ... > for specific ICMP traffic. ... > severe attack before you get to the point where your machine can no longer ...
    (alt.computer.security)
  • Re: Ok to let all ICMP traffic through firewall?
    ... > he gives about ICMP traffic and if it is still true these days. ... > that there is no real risk if they do that. ... > STEALTH-MODE FIREWALLS CONSIDERED HARMFUL ... > Some firewalls have a hiding mechanism they call stealth. ...
    (comp.security.firewalls)
  • Re: Ok to let all ICMP traffic through firewall?
    ... > he gives about ICMP traffic and if it is still true these days. ... > that there is no real risk if they do that. ... > STEALTH-MODE FIREWALLS CONSIDERED HARMFUL ... > Some firewalls have a hiding mechanism they call stealth. ...
    (alt.computer.security)
  • Ok to let all ICMP traffic through firewall?
    ... My question is Should a firewall let all ICMP traffic through because ... that there is no real risk if they do that. ... Some firewalls have a hiding mechanism they call stealth. ...
    (comp.security.misc)