[65630] in North American Network Operators' Group
Re: Firewall stateful handling of ICMP packets
daemon@ATHENA.MIT.EDU (Henry Linneweh)
Wed Dec 3 19:25:50 2003
Date: Wed, 3 Dec 2003 16:25:14 -0800 (PST)
From: Henry Linneweh <hrlinneweh@sbcglobal.net>
To: Sean Donelan <sean@donelan.com>, nanog@merit.edu
In-Reply-To: <Pine.GSO.4.44.0312031710570.2919-100000@clifden.donelan.com>
Errors-To: owner-nanog-outgoing@merit.edu
--0-1579785453-1070497514=:69260
Content-Type: text/plain; charset=us-ascii
there are expert modes where you can apply the
name source destination protocol time comments. rank state action track
for more stabilized dedicated connections
I am certain there are more depending on the vender
-Henry
Sean Donelan <sean@donelan.com> wrote:
You could drop ICMP packets at your firewall if the firewalls properly
implemented stateful inspection of ICMP packets. The problem is few
firewalls include ICMP responses in their statefull analysis. So you are
left with two bad choices, permit "all" ICMP packets or deny "all" ICMP
packets.
--0-1579785453-1070497514=:69260
Content-Type: text/html; charset=us-ascii
<DIV>there are expert modes where you can apply the</DIV>
<DIV>name source destination protocol time comments. rank state action track</DIV>
<DIV>for more stabilized dedicated connections</DIV>
<DIV> </DIV>
<DIV>I am certain there are more depending on the vender</DIV>
<DIV> </DIV>
<DIV>-Henry</DIV>
<DIV><BR><B><I>Sean Donelan <sean@donelan.com></I></B> wrote:</DIV>
<BLOCKQUOTE class=replbq style="PADDING-LEFT: 5px; MARGIN-LEFT: 5px; BORDER-LEFT: #1010ff 2px solid"><BR><BR>You could drop ICMP packets at your firewall if the firewalls properly<BR>implemented stateful inspection of ICMP packets. The problem is few<BR>firewalls include ICMP responses in their statefull analysis. So you are<BR>left with two bad choices, permit "all" ICMP packets or deny "all" ICMP<BR>packets.<BR><BR><BR></BLOCKQUOTE>
--0-1579785453-1070497514=:69260--