Re: Blocking icmp

To: debian-firewall@lists.debian.org
Subject: Re: Blocking icmp
From: Daniel Pittman <daniel@rimspace.net>
Date: Sun, 01 Jun 2003 11:53:27 +1000
Message-id: <[🔎] 87d6hy8sx4.fsf@enki.rimspace.net>
In-reply-to: <[🔎] 20030531072514.GA11406@dvmwest.gt.owl.de> (Frank Matthieß's message of "Sat, 31 May 2003 09:25:14 +0200")
References: <[🔎] 20030529132248.GB401@hank.org> <[🔎] 87ptm1s3s1.fsf@enki.rimspace.net> <[🔎] 20030531072514.GA11406@dvmwest.gt.owl.de>

On Sat, 31 May 2003, Frank Matthie wrote:
> Freitag den 30.05.2003 um  1:59 CEST +0200, schrieb Daniel Pittman:
>> On Thu, 29 May 2003, moseley@hank.org wrote:
>> > I belive it's not good to just drop the auth (ident) requests --
>> > IIRC it makes mail clients delay.
>> > 
>> > So the question is how should they be rejected?
>> > 
>> >    reject-with icmp-port-unreachable
>> > or
>> >    reject-with tcp-reset
>> 
>> I never encountered a problem with either IRC or mail when I rejected
>> with ICMP prot administratively prohibited; that is also true. :)
> 
> More and more firewall admin block icmp, also in public accessible
> networks. In Germany we have some trouble with a freemailer, who also
> block icmp messages, so there is no path mtu negotiation possibel. 
> Is'nt really a good idea to block icmp. 

Well, no. The lack of path MTU detection is one thing that often gets
fixed one way or another, because it hits the Windows-direct-to-Internet
client base for the company doing it...

> If you block parts of it and you have reasons to do that ok, but most
> of them block icmp at all.

Well, blocking some is essential to defend the less competent OS vendors
out there who ...

> block ping - security by obscurity?

Mostly. It buys you little, makes it hard to check your network ... but
does prevent machines crashing when they get very large ping packets...

> block broadcast ping - seems to be a good idea.

... because some OS vendors still respond to ping on a broadcast basis,
especially the ones who market embedded printer subsystems.

> block router redirection - If there can only be one router on the other
>                            end, block that.

This is the one point at which you are wrong. Many versions of Windows
would respect the request for router redirection and happily start
routing to anywhere you asked.

So, blocking that is sane ... not least of which because it's not really
used. Just blocking the one *legal* source of these messages, though, is
probably not a good idea.

If you want to allow it at all, allow it only from the legal
source(s)...

        Daniel

-- 
If you own this child at an early age, you can own this child for years to
come. Companies are saying, `Hey, I want to own the kid younger and younger.'
        -- Mike Searles, former president of Kids-R-Us

Reply to:

References:
- What to return for AUTH tcp/113 requests?
  - From: moseley@hank.org
- Re: What to return for AUTH tcp/113 requests?
  - From: Daniel Pittman <daniel@rimspace.net>
- Blocking icmp (was: What to return for AUTH tcp/113 requests?)
  - From: Frank Matthieß <frankm@lug-owl.de>

Prev by Date: [NEWBIE] Problem with buffer ... /sbin/ip ..
Previous by thread: Blocking icmp (was: What to return for AUTH tcp/113 requests?)
Next by thread: [NEWBIE] Problem with buffer ... /sbin/ip ..
Index(es):
- Date
- Thread