Re: Ok to let all ICMP traffic through firewall?

jameshanley39_at_yahoo.co.uk
Date: 09/23/05 

Date: 22 Sep 2005 18:20:45 -0700

Franklin wrote:
> My question is Should a firewall let all ICMP traffic through because
> there is no real risk if they do?
>
> +++++
>
> Here is the thinking behind my question: Robin Walker's cable modem
> webpages at
> <http://homepage.ntlworld.com/robin.d.h.walker/cmtips/index.html>
> look to me as if they are technically sound. But they are a few
> years old. I would like to know what people think about the advice
> he gives about ICMP traffic and if it is still true these days.
>

<snip>
>
> STEALTH-MODE FIREWALLS CONSIDERED HARMFUL
>
> Some firewalls have a hiding mechanism they call stealth. ... In

seems there's a debate. But I can't see Robin Walker's arguments being
addressed by those that say block ICMP.

it is my understanding that stealthing ports has absolutely nothing to
do with ICMP. So they are different issues.

A computer has a port stealthed if the port doesn't respond to say
whether it's open or closed. Online scanners that say 'stealth' are
really saying "could not determine" since perhaps the port is open but
the packet got lost! So some online port scanners can be be
misleading.
These is all TCP segments we're dealing with. They are a load of fields
deep with within the Frame's contents.

A computer that blocks ICMP is a different kettle of fish. These are
frames carrying ICMP packets and have no TCP segments anywhere in them
or deep in them at all. Blocking ICMP packets breaks the ICMP
protocol. Whereas Stealthing ports breaks the TCP protocol. I think
both go against the RFCs which require correct implementation of ICMP
and TCP.

A computer of course may stealth ports and block ICMP. But they're not
related. The only similarity is that both are bad practice since they
go against RFCs, and it does not make you safer from attack. (Does it
really matter if somebody can ping you or not?!!!) IT's that argument
again. That if an attacker is put off by the fact that he can't ping
you, then he isn't much to worry about, and he will can easily be put
off by other proper stronger security measures. Like, not having open
ports unless necessary, and if they must be open, then use a firewall
to restrict access to the correct individuals, and apply patches to the
daemons(services/servers) to avoid exploits.

In principle, you don't really want to go around breaking protocols and
going against RFCs, and you dont' gain much from doing it. If you just
say "bset not to allow somethign in if you don't know what it is" it
reminds me of a middle aged woman in a school using a computer who
doesn't want to move an icon, and whose main phrase is "put it back to
how it was before". If you nkow what an icon does then you would know
there's no harm in moving it a fraction to the left or to the right.

Similarly, the people that wrote the RFCs are clever people, and
there's a huge number of technical people in the know, and none of them
have indicated any danger from allowing ICMP packets (or if they have,
then nobody has given their argument in this thread!). The protocol has
been around for donkeys' years, and nobody has sounded off any alarms
about it. So there's no need to start breaking protocols and going
against RFCs. It all looks like a lot of FUD to me.

I only learnt about this recently so I may be wrong, fortunately this
is a public forum, where people correct each others' mistakes!

Relevant Pages

  • Re: Am I being hacked?
    ... > incoming TCP packets are 'Allowed' on those ports. ... The term "stealth" is misleading. ... The online services that claim to test your firewall can be misleading ... but block normal ICMP echo requests. ...
    (comp.security.firewalls)
  • Re: 5 "Advanced" networking questions
    ... ICMP messages you appear to be interested in blocking. ... You appeared to want to turn your FreeBSD box into what's ... normally called a "stealth" system: ... were trying to *write* a firewall, or at least find a set ...
    (freebsd-hackers)
  • Re: sygate and shields up
    ... ICMP doesn't have ports. ... the quite obvious difference is that error message from the router. ... The only thing stealth MAY buy you is preventing O/S fingerprinting, ...
    (comp.security.firewalls)
  • D-link dsl 504 and Iptables problems
    ... I have a Bto Adsl connection plugged into a D-link DSL 504 router. ... I have then set up port forwarding on the d-link to forward ports ... $MPB ip_conntrack ... #ICMP Dead Error Messages protection ...
    (comp.os.linux.security)
  • d-link DSL-504 and IPtables trouble
    ... I have a Bto Adsl connection plugged into a D-link DSL 504 router. ... I have then set up port forwarding on the d-link to forward ports ... $MPB ip_conntrack ... #ICMP Dead Error Messages protection ...
    (comp.security.firewalls)