[65624] in North American Network Operators' Group


home	help	back	first	fref	pref	prev	next	nref	lref	last	post

Firewall stateful handling of ICMP packets

daemon@ATHENA.MIT.EDU (Sean Donelan)
Wed Dec 3 17:13:35 2003

Date: Wed, 3 Dec 2003 17:12:58 -0500 (EST)
From: Sean Donelan <sean@donelan.com>
To: nanog@merit.edu
In-Reply-To: <BBF35FA8.39AE%dsinn@dsinn.com>
Errors-To: owner-nanog-outgoing@merit.edu

You could drop ICMP packets at your firewall if the firewalls properly
implemented stateful inspection of ICMP packets.  The problem is few
firewalls include ICMP responses in their statefull analysis.  So you are
left with two bad choices, permit "all" ICMP packets or deny "all" ICMP
packets.


home	help	back	first	fref	pref	prev	next	nref	lref	last	post

[65624] in North American Network Operators' Group

Firewall stateful handling of ICMP packets

daemon@ATHENA.MIT.EDU (Sean Donelan)Wed Dec 3 17:13:35 2003

daemon@ATHENA.MIT.EDU (Sean Donelan)
Wed Dec 3 17:13:35 2003