Re: Ok to let all ICMP traffic through firewall?
jameshanley39_at_yahoo.co.uk
Date: 09/23/05
- Next message: Art: "Re: Ok to let all ICMP traffic through firewall?"
- Previous message: jameshanley39_at_yahoo.co.uk: "Re: Ok to let all ICMP traffic through firewall?"
- In reply to:(deleted message) Leythos: "Re: Ok to let all ICMP traffic through firewall?"
- Next in thread: Leythos: "Re: Ok to let all ICMP traffic through firewall?"
- Reply:(deleted message) Leythos: "Re: Ok to let all ICMP traffic through firewall?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: 23 Sep 2005 10:06:55 -0700
Leythos wrote:
> In article <1127439270.085843.66150@z14g2000cwz.googlegroups.com>,
> jameshanley39@yahoo.co.uk says...
> > Leythos wrote:
> > > In article <176uZD2KcidF-pn2-yKJP7XquDBiB@rikki.tavi.co.uk>, rde42
> > > @spamcop.net says...
> > > > On Thu, 22 Sep 2005 23:13:55 UTC, Leythos <void@nowhere.lan> wrote:
> > > >
> > > > > > In practice, you need to let a few ICMP messages through, then. For
> > > > > > example, source quench and destination unreachable.
> > > > >
> > > > > Wrong, you don't NEED to allow anything. You may FEEL that you do, but
> > > > > we've got almost 100 networks that don't allow ICMP or anything else
> > > > > inbound and they work just fine, and we'll not change them.
> > > >
> > > > You're wrong. But that's fine. You just carry on.
> > >
> > > Then, when we're running along for the last few years, blocking all ICMP
> > > inbound and at the firewall, what are we denying ourselves?
> > >
> > > It seems that our networks work, that we can VPN into the office just
> > > fine, etc...
> > >
> > > It seems that all of our dedicated IPSec tunnels to partners work fine,
> > > it seems that our systems with web servers, OWA services, etc.. all work
> > > just fine.....
> > >
> > > --
> >
> > and they'd still work fine if you allowed ICMPs. If allowing ICMPs
> > were dangerous then alarms would've been sent off long ago. ICMP has
> > been aroudn for ages, there are no new developments to the ICMP
> > protocol. People that know all about how it works also know of no
> > alarms saying it can be attacked.
> [snip]
>
> So, you're saying that it doesn't break any functionality that we use to
> block it, so we should allow it because the designers of it are almost
> positive that there is no exploit for it, but, since it's not going to
> hurt anything that even though I don't need it, I should allow it, even
> though I don't need it......
>
> If I don't need it I don't allow it - it's a very simple matter of
> security - never expose anything that you don't need to expose.
>
> --
and - as you said - if you did want ICMP responses, you could rsetrict
ICMP responses to hosts of your choosing.
but what if an ISP or non ISP telephone computer tech is diagnosing a
non technical home user. The user doesn't have the ability to block
ICMP on only certain hosts. The homse user isn't running any services
either(may be behind a NAT device). Ping is ideal in this instance.
what other option is there to see that he is online,. as a first step
in diagnosing the problem?
- Next message: Art: "Re: Ok to let all ICMP traffic through firewall?"
- Previous message: jameshanley39_at_yahoo.co.uk: "Re: Ok to let all ICMP traffic through firewall?"
- In reply to:(deleted message) Leythos: "Re: Ok to let all ICMP traffic through firewall?"
- Next in thread: Leythos: "Re: Ok to let all ICMP traffic through firewall?"
- Reply:(deleted message) Leythos: "Re: Ok to let all ICMP traffic through firewall?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
