ICMP Packets.

Don Kendrick dkendrick@mindspring.com
Tue, 2 Jun 1998 07:57:09 -0400


This is a multi-part message in MIME format.

------=_NextPart_000_0029_01BD8DFC.0B46DB70
Content-Type: text/plain;
	charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable

In the standard configuration of you, with a perimeter router, connected =
point to point with an ISP's router; there's no reason I can think of =
other than troubleshooting to allow ICMP packets to enter your =
perimeter.

Don
    -----Original Message-----
    From: Toddb <toddb@pacifier.com>
    To: firewall-wizards@nfr.net <firewall-wizards@nfr.net>
    Date: Tuesday, June 02, 1998 2:21 AM
    Subject: ICMP Packets.
   =20
   =20
    To prohibit anyone from 'pinging' our router from the internet, I =
have disabled certain ICMP packets ( namely echo reply ) from exiting =
our external router interface. They are allowed in, but not out - which =
effectively disables someone from the outside pinging our router, but =
allows internal machines to ping the outside world. I have a couple of =
questions that someone may be able to answer.
    =20
    1) Is there any reason that echo reply would need to be allowed out =
in response to an external request? I know this is the case for other =
ICMP messages such as packet-too-big, but I am not sure why echo-reply =
would ever be needed.
    =20
    2) Is there a list of ICMP message types that are needed as opposed =
to ones that are just used for troubleshooting ( like echo, echo-reply ) =
that can be blocked without problems.
    =20
    Thanks,
    =20
    Todd
    =20
    toddb@pacifier.com

------=_NextPart_000_0029_01BD8DFC.0B46DB70
Content-Type: text/html;
	charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable

<!DOCTYPE HTML PUBLIC "-//W3C//DTD W3 HTML//EN">






In the standard configuration of = you, with a=20 perimeter router, connected point to point with an ISP's router; there's = no=20 reason I can think of other than troubleshooting to allow ICMP packets = to enter=20 your perimeter.
 
Don
-----Original = Message-----
From:=20 Toddb <toddb@pacifier.com>
To: = firewall-wizards@nfr.net = <firewall-wizards@nfr.net>=
Date:=20 Tuesday, June 02, 1998 2:21 AM
Subject: ICMP=20 Packets.

To prohibit anyone from = 'pinging' our router=20 from the internet, I have disabled certain ICMP packets ( namely = echo reply=20 ) from exiting our external router interface. They are allowed in, = but not=20 out - which effectively disables someone from the outside pinging = our=20 router, but allows internal machines to ping the outside world. I = have a=20 couple of questions that someone may be able to answer.
 
1) Is there any reason that echo = reply would=20 need to be allowed out in response to an external request? I know = this is=20 the case for other ICMP messages such as packet-too-big, but I am = not sure=20 why echo-reply would ever be needed.
 
2) Is there a list of ICMP = message types=20 that are needed as opposed to ones that are just used for = troubleshooting (=20 like echo, echo-reply ) that can be blocked without = problems.
 
Thanks,
 
Todd
 
toddb@pacifier.com
------=_NextPart_000_0029_01BD8DFC.0B46DB70--