Re: Ok to let all ICMP traffic through firewall?

From: Walter Roberson (roberson_at_ibd.nrc-cnrc.gc.ca)
Date: 09/26/05 

Date: Mon, 26 Sep 2005 00:43:08 +0000 (UTC)

In article <dh77ma$odf$1@lucy.duncodin.org>,
Mike Civil <mike@duncodin.org> wrote:
:What the hell are you talking about, or are you being deliberately
:obtuse? At some time in the future your company may be in a position
:where data isn't getting through because of a problem in the intervening
:path, and the the only way an intermediate device can advise you of the
:reason is by sending ICMP. Which it sounds like you are filtering out.

If the routing infrastructure he is using enters a routing loop, then

a) there is a substantial chance that the ICMP TTL Exceeded won't
get back either; and

b) the NOC for the intrastructure is likely going to find out and act on it
faster than he would get a page saying "TTL exceeded" and log in
and track down the cause and call the NOC.

If the routing infrastructure does not enter a routing loop, but loses
the route, then if he has multiple routes then his routing protocol
is going to notice the problem and adjust automatically. There are no
routing protocols that I can think of that use icmp to determine whether
the routing is working or not.

If the route is lost and he has only a single route, then his monitoring
software is going to stop hearing back from the other side, and he
will get an appropriate notification and will investigate. That
investigation might be helped by the availability of icmp; if so
then he can turn reception of icmp on at the time. 

-- 
   When Love is gone, there's always Justice.
   When Justice is gone, there's always Force.
   When Force is gone, there's always Mom.     -- Laurie Anderson

Relevant Pages

  • Re: Ok to let all ICMP traffic through firewall?
    ... :reason is by sending ICMP. ... If the routing infrastructure he is using enters a routing loop, ... If the route is lost and he has only a single route, ... When Justice is gone, there's always Force. ...
    (comp.security.firewalls)
  • Re: Ok to let all ICMP traffic through firewall?
    ... :reason is by sending ICMP. ... If the routing infrastructure he is using enters a routing loop, ... If the route is lost and he has only a single route, ... When Justice is gone, there's always Force. ...
    (alt.computer.security)
  • Re: Weird!
    ... is routing RFC1918 addresses onto the Internet. ... And the simplest explanation is that you are routing RFC1918 addresses ... for "net 192.168.0.0/16 or icmp" on your outside interface. ...
    (Focus-Linux)
  • Re: Valid Routing Query
    ... The route you describe for a journey from Woking to Slough route ... Exeter, Bristol or Swindon would be much higher than the cost of your ... however based on the online routing ... other maps to allow a complete tracing. ...
    (uk.railway)
  • RE: Fax routing
    ... I understand you could not route your ... Open Server Management ... E-mail incoming routing method" ...
    (microsoft.public.windows.server.sbs)