Re: Ok to let all ICMP traffic through firewall?

From: Imhotep (Imhotep_at_nospam.net)
Date: 09/23/05 

Date: Fri, 23 Sep 2005 01:15:07 -0400

Leythos wrote:

> In article <176uZD2KcidF-pn2-yKJP7XquDBiB@rikki.tavi.co.uk>, rde42
> @spamcop.net says...
>> On Thu, 22 Sep 2005 23:13:55 UTC, Leythos <void@nowhere.lan> wrote:
>>
>> > > In practice, you need to let a few ICMP messages through, then. For
>> > > example, source quench and destination unreachable.
>> >
>> > Wrong, you don't NEED to allow anything. You may FEEL that you do, but
>> > we've got almost 100 networks that don't allow ICMP or anything else
>> > inbound and they work just fine, and we'll not change them.
>>
>> You're wrong. But that's fine. You just carry on.
>
> Then, when we're running along for the last few years, blocking all ICMP
> inbound and at the firewall, what are we denying ourselves?
>
> It seems that our networks work, that we can VPN into the office just
> fine, etc...
>
> It seems that all of our dedicated IPSec tunnels to partners work fine,
> it seems that our systems with web servers, OWA services, etc.. all work
> just fine.....
>

Honestly, you CAN block all ICMP types, however, it is not optimal. Some
ICMPS are in fact needed for normal TCP/UDP/IP operations (well, efficient
anyway)....ie without flow control, it will appear that things are
"hanging" equating to those nasty users saying the "network is slow"...when
in fact the host has not been informed to slow itself down and as such will
keep on sending packets (which are only being dropped and retransmitted yet
all over again)

Summary: In my opinion, allow a few ICMPS (source quench, and the misc
unreachables) and deny everything else (incoming)....

Just my opinion though,
Imhotep

Relevant Pages

  • Re: Ok to let all ICMP traffic through firewall?
    ... > Then, when we're running along for the last few years, blocking all ICMP ... > It seems that our networks work, that we can VPN into the office just ... Honestly, you CAN block all ICMP types, however, it is not optimal. ... In my opinion, allow a few ICMPS (source quench, and the misc ...
    (alt.computer.security)
  • Re: Ok to let all ICMP traffic through firewall?
    ... > Then, when we're running along for the last few years, blocking all ICMP ... > It seems that our networks work, that we can VPN into the office just ... Honestly, you CAN block all ICMP types, however, it is not optimal. ... In my opinion, allow a few ICMPS (source quench, and the misc ...
    (comp.security.firewalls)
  • Re: how to block the ping.?
    ... I see no point in blocking ICMP echo. ... > bash the problem with a big rock, blocking all pings will work. ... > ICMP was an issue with their Cisco router having the ethernet intferface set ...
    (comp.os.linux.networking)
  • Re: ICMP Ping and Group Policy Update
    ... Blocking all ICMP ... general) are generating 92-byte packet with a payload of all 0xAA, ... archives first to see if you have missed any messages; ...
    (NT-Bugtraq)
  • Re: Ok to let all ICMP traffic through firewall?
    ... because some ICMP messages aren't useful. ... >> bother than not blocking anything. ... The firewall user is usually the ... > need to allow PING, in fact why the heck would you want to allow PING, ...
    (comp.security.firewalls)