Re: Ok to let all ICMP traffic through firewall?

From: E. (bellyup_at_the.bar)
Date: 09/29/05 

Date: Fri, 30 Sep 2005 06:47:16 +1000

Mike Civil wrote:

> In article <MPG.1da0ce0767ee57f198a124@news-server.columbus.rr.com>,
> Leythos <void@nowhere.lan> wrote:
>
>>Errors are not fixed by ICMP and are not going to cause a failure in
>>communications. You can still get the data.
>
>
> What the hell are you talking about, or are you being deliberately
> obtuse? At some time in the future your company may be in a position
> where data isn't getting through because of a problem in the intervening
> path, and the the only way an intermediate device can advise you of the
> reason is by sending ICMP. Which it sounds like you are filtering out.
>
> Mike

A problem with an upstream route or router is in what is called an SEP
field: Someone Else's Problem. There is no way you could do anything
yourself to fix it as you don't have access. I have been in exactly the
situation you describe (random routing dropouts in a VPN path) and the
SEP rule applied. The solution was to contact the ISP that owned the box
(the E in SEP) and have them fix it.

The cause in this instance was a box on the border of 2 network types
(ADSL and VDSL) stopping routing properly between the 2 networks
whenever a techo from the VDSL backbone provider logged in to it.

The diagnosis for this obviously required echo replies back in. Also
having traceroute data for the path most traffic would take under normal
circumstances recorded to enable future diags. I basically rang the ISP
involved and said traffic from A to B is failing between boxes X and Y.

My understanding of Leythos' statements is that ICMP is allowed between
those he trusts, outbound is allowed, but unsolicited inbound from every
other sod on the planet is dropped. Which seems normal to me.

Interestingly enough, after the Welchia type worms that came out most,
if not all, ISP's blocked pings going into and out of their network
ranges in this country. Tracert is also badly affected, which makes
diagnostics a nightmare at times.
E.

Relevant Pages

  • Re: Ok to let all ICMP traffic through firewall?
    ... Mike Civil wrote: ... > reason is by sending ICMP. ... The cause in this instance was a box on the border of 2 network types ... having traceroute data for the path most traffic would take under normal ...
    (comp.security.firewalls)
  • Re: Removing ping/icmp from a network
    ... A ping sweep isn't the only way to do network exploration. ... ICMP is a protocol, not a service. ... Security by design is always best, but hiding the presence of a device ...
    (Security-Basics)
  • Re: How to prevent system from replying to Ping (ICMP Echo) requests?
    ... blocking ICMP does not impact anything useful ... large corporation broke their "VPN" by disallowing echo requests. ... > network from unknown locations, but, as I'm smarter than that, I set the ... The "stealth those pings" scenario would seem to really only ...
    (comp.security.firewalls)
  • Re: Removing ping/icmp from a network
    ... You can limit ICMP. ... And I did say, as well as others, allow from trusted sources. ... the network and the answer is: ... servers I do allow some ICMP messages to/from ...
    (Security-Basics)
  • Re: Ok to let all ICMP traffic through firewall?
    ... >>need to have ICMP responses form our networks get it, ... so now you are saying that you block outgoing ICMP ... > Tell me - what is the risk of sending an ICMP packet to anyone? ... it's not a general risk to your network because they ...
    (comp.security.firewalls)