Re: Ok to let all ICMP traffic through firewall?
jameshanley39_at_yahoo.co.uk
Date: 09/23/05
- Next message: Mark: "Re: Ok to let all ICMP traffic through firewall?"
- Previous message: jameshanley39_at_yahoo.co.uk: "Re: Ok to let all ICMP traffic through firewall?"
- In reply to:(deleted message) Leythos: "Re: Ok to let all ICMP traffic through firewall?"
- Next in thread: Mark: "Re: Ok to let all ICMP traffic through firewall?"
- Reply: Mark: "Re: Ok to let all ICMP traffic through firewall?"
- Reply: Art: "Re: Ok to let all ICMP traffic through firewall?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: 22 Sep 2005 18:34:30 -0700
Leythos wrote:
> In article <176uZD2KcidF-pn2-yKJP7XquDBiB@rikki.tavi.co.uk>, rde42
> @spamcop.net says...
> > On Thu, 22 Sep 2005 23:13:55 UTC, Leythos <void@nowhere.lan> wrote:
> >
> > > > In practice, you need to let a few ICMP messages through, then. For
> > > > example, source quench and destination unreachable.
> > >
> > > Wrong, you don't NEED to allow anything. You may FEEL that you do, but
> > > we've got almost 100 networks that don't allow ICMP or anything else
> > > inbound and they work just fine, and we'll not change them.
> >
> > You're wrong. But that's fine. You just carry on.
>
> Then, when we're running along for the last few years, blocking all ICMP
> inbound and at the firewall, what are we denying ourselves?
>
> It seems that our networks work, that we can VPN into the office just
> fine, etc...
>
> It seems that all of our dedicated IPSec tunnels to partners work fine,
> it seems that our systems with web servers, OWA services, etc.. all work
> just fine.....
>
> --
and they'd still work fine if you allowed ICMPs. If allowing ICMPs
were dangerous then alarms would've been sent off long ago. ICMP has
been aroudn for ages, there are no new developments to the ICMP
protocol. People that know all about how it works also know of no
alarms saying it can be attacked. People that know ICMP presumably
allow it because they know it's as dangerous as moving an icon slightly
(which might be very scary for a middle aged woman). (though against
me, perhaps an OS may rewrite teh part that repsonds to ICMP and there
might be an exploit in their code, but similarly there may be an
exploit in their code that is rejecting ICMP)
As that article argued, besides breaking RFCs and breaking the
protocols,
Besides all those arguments in the article and the technical problems
with not responding to ICMP (just because your setup doesn't include
situations where you'll run into the problems, does not mean the
problems do not exist).
Suppose you want to know if a computer is online. A safe way is to ping
it. you don't want to set up a service running on the computer and
conect to it. ping tests that other comps can communicate with the
comp. it's a necessary diagnostic test. What's the alternative?
user makes an outgoing connection? suppose he can't for some reason.
you want to know if he is online
ping is a very convenient diagnostic tool.
- Next message: Mark: "Re: Ok to let all ICMP traffic through firewall?"
- Previous message: jameshanley39_at_yahoo.co.uk: "Re: Ok to let all ICMP traffic through firewall?"
- In reply to:(deleted message) Leythos: "Re: Ok to let all ICMP traffic through firewall?"
- Next in thread: Mark: "Re: Ok to let all ICMP traffic through firewall?"
- Reply: Mark: "Re: Ok to let all ICMP traffic through firewall?"
- Reply: Art: "Re: Ok to let all ICMP traffic through firewall?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
