Re: your mail
Timothy...
On Tue, Jan 18, 2005 at 09:54:14PM +0100, Timothy Earl wrote:
> I am having a little trouble understanding the differences between
> Firewall / Proxy activity on internal / external nets. For example I
> read recently out of a book I am going through, that one should
> reconsider blocking all ICMP traffic for reasons related to
> fragmentation.
I here limit what kind of ICMP messages are allowed (mostly
echo-request/echo-reply). But basically I see no reason to block the
ICMP protocol. It's true though that some attackers intentionally
fragment their packets in hope to circumvent simple network security
applications that don't reassemble the traffic. But usually network
security applications like e.g. "snort" or content filtering firewalls
first reassemble the data stream before doing checks on it. So no need
to block them IMHO.
Your doubts about MTUs are valid. Blocking IP fragments can cause
problems of different kinds. Perhaps you use NFS over UDP (default)
or a VPN tunnel or even ISPs with different line technologies. All this
can cause IP fragments that you will definitely want to allow. Before
blindly blocking fragments I recomment you watch your interface for a
while whether you see fragments of production traffic.
> My second question is which ICMP types should be allowed in to the
> external interface if any?
Any. ;)
Cheers
Christoph
--
~
~
".signature" [Modified] 3 lines --100%-- 3,41 All
Reply to: