[65628] in North American Network Operators' Group
Re: Firewall stateful handling of ICMP packets
daemon@ATHENA.MIT.EDU (Owen DeLong)
Wed Dec 3 18:58:54 2003
Date: Wed, 03 Dec 2003 15:57:37 -0800
From: Owen DeLong <owen@delong.com>
To: Sean Donelan <sean@donelan.com>, nanog@merit.edu
In-Reply-To: <Pine.GSO.4.44.0312031710570.2919-100000@clifden.donelan.com>
Errors-To: owner-nanog-outgoing@merit.edu
--==========AA8D11B3F7C4006AC505==========
Content-Type: text/plain; charset=us-ascii; format=flowed
Content-Transfer-Encoding: quoted-printable
Content-Disposition: inline
Actually, any halfway decent firewall allows you to permit certain ICMP
type codes while rejecting others. Not a perfect solution, but, for the
most part, there aren't a lot of fragmentation-needed exploits running
around. (In fact, I'm hard pressed to imagine how a Frag needed packet
for an invalid session could do much of anything).
Owen
--On Wednesday, December 3, 2003 5:12 PM -0500 Sean Donelan=20
<sean@donelan.com> wrote:
>
>
> You could drop ICMP packets at your firewall if the firewalls properly
> implemented stateful inspection of ICMP packets. The problem is few
> firewalls include ICMP responses in their statefull analysis. So you are
> left with two bad choices, permit "all" ICMP packets or deny "all" ICMP
> packets.
>
>
>
--=20
If it wasn't crypto-signed, it probably didn't come from me.
--==========AA8D11B3F7C4006AC505==========
Content-Type: application/pgp-signature
Content-Transfer-Encoding: 7bit
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.2 (Darwin)
iD8DBQE/znhxn5zKWQ/iqj0RAk0/AJ9fRvwkqsFE8RPlrqr4qW428nq+wwCdFtkc
GPznCRrmlTmugoTEsbRoI3s=
=KCv1
-----END PGP SIGNATURE-----
--==========AA8D11B3F7C4006AC505==========--
