Re: Ok to let all ICMP traffic through firewall?

From: Imhotep (Imhotep_at_nospam.net)
Date: 09/23/05 

Date: Thu, 22 Sep 2005 23:23:16 -0400

Leythos wrote:

> In article <433331d9$0$32652$da0feed9@news.zen.co.uk>,
> abuse@dopiaza.cabal.org.uk says...
>> Franklin <no_thanks@mail.com> wrote:
>> > My question is Should a firewall let all ICMP traffic through
>> > because there is no real risk if they do?
>>
>> No, because some ICMP messages aren't useful. However blocking all
>> ICMP is throwing the baby out with the bathwater and will cause more
>> bother than not blocking anything.
>>
>> I would suggest allowing ICMP Echo and Echo Reply (so ping works),
>> Destination Unreachable (which includes "fragmentation required",
>> essential for PMTUD to work) and Time Exceeded (so traceroute works.)
>> Everything else looks to be fair game to drop.
>>
>> While I'm suggesting firewall rules, can people also not silently drop
>> SYNs to port 113 please? All sorts of servers try RFC1413 lookups and
>> stall while waiting for a response. The firewall user is usually the
>> first to complain that it's taking ages to connect to a certain remote
>> server.
>
> There is NO BOTHER - you set the rules and then let them work. You don't
> need to allow PING, in fact why the heck would you want to allow PING,
> it's not like it's a valid test that your network is alive - we've got
> tons of commercial networks that block PING and none of the users even
> notice.
>
> Allowing anything inbound, even to the firewall, that doesn't
> specifically need to be let in is a bad move.
>
> Allowing in minimal traffic that "might" not be a threat is like
> trusting Windows Firewall with File/Printer sharing enabled on a
> computer directly connected to the Internet with all of your financial
> data stored on it in a text file that is name "ALL MY FINANCIAL
> DATA.TXT" sitting in the root.
>

LOL...

Imhotep

Relevant Pages

  • Re: ICMP Ping (redirect) blockieren !
    ... Nur weil Du nicht auf Ping mit Pong antwortest, ... um soweniger der "belzebub" per ICMP Traffik erfaehrt. ... > willst, installier Dir eine Personal Firewall, die Dir diesen Unsinn ... ich habe es mal gewagt saemtliche Dienste für telekommunikation und netzwerk ...
    (microsoft.public.de.german.win2000.networking)
  • Re: Ok to let all ICMP traffic through firewall?
    ... because some ICMP messages aren't useful. ... >> bother than not blocking anything. ... The firewall user is usually the ... > need to allow PING, in fact why the heck would you want to allow PING, ...
    (alt.computer.security)
  • Re: What must I set to Ping with Trend Micro Pro?
    ... It would seem that if you could ping anyone outside your computer, that your computer's firewall is working. ... However, in some instances, you might be allowing outbound ICMP but not an inbound unsolicited ICMP of another type. ... forums but I could not see any links to forums on their web site. ...
    (alt.comp.anti-virus)
  • Re: Ok to let all ICMP traffic through firewall?
    ... because some ICMP messages aren't useful. ... >> bother than not blocking anything. ... The firewall user is usually the ... > need to allow PING, in fact why the heck would you want to allow PING, ...
    (comp.security.firewalls)
  • Re: Win 2003
    ... there was an entry in the firewall that should not of been ... ping the outside interface of the router ... There is nothing blocking things on the firewall. ... Server is a member of the domain. ...
    (microsoft.public.windows.server.general)