Re: Which ICMP packets to filter, which to allow to pass?

To: debian-firewall@lists.debian.org, "Ralf G. R. Bergs" <rabe@RWTH-Aachen.DE>
Subject: Re: Which ICMP packets to filter, which to allow to pass?
From: johan.hagstrom@intron.se
Date: Mon, 13 Dec 1999 08:39:26 +0100
Message-id: <[🔎] 99Dec13.082958gmt+0100.13443@funnel.intron.net>
In-reply-to: <[🔎] E11wo99-0005MM-00@ADSL-Bergs.RZ.RWTH-Aachen.DE>

On 11 Dec 99, at 16:11, Ralf G. R. Bergs wrote:
> currently I'm allowing EVERYTHING but timestamp-requests. What else can I
> safely drop?
> Or the other way round: Which packets do I absolutely need? I then could drop
> everything else.

I would suggest you keep Pong(0), destination unreachable(3) ,
Source Quench(4), Time exceed(11) and Parameter problem(12).

Everything else deny and log. It is possible that you explicit must
deny icmp redirects from your gateway or you will go nuts when
analysing your logs :).

Best Regards Johan

**********************************************************
Johan Hagström           Data Ingenjör / KTH
Direkt: 0498 - 202732    johan.hagstrom@intron.se
Växel:  0498 - 202700    Fax: 0498 - 214640
Intron Service AB        http://www.gotlandica.com

"Security is not a solution. It is a way of life."
**********************************************************

Reply to:

References:
- Which ICMP packets to filter, which to allow to pass?
  - From: "Ralf G. R. Bergs" <rabe@RWTH-Aachen.DE>

Prev by Date: Which ICMP packets to filter, which to allow to pass?
Next by Date: URGENT: Problem with source-based routing and masquerading.
Previous by thread: Which ICMP packets to filter, which to allow to pass?
Next by thread: URGENT: Problem with source-based routing and masquerading.
Index(es):
- Date
- Thread