Perry E. Metzger
Wed, 03 Jun 1998 12:26:39 -0400
"Don Kendrick" writes:
> >I've never understood why blocking ICMP was going to make you more
> >secure in the first place. Lots of ICMP information is very valuable
> >in making protocols run smoothly. Sure, some of it can be dangerous if
> >it is misused, like redirects, but you should know what you are doing,
> >not blindly block the whole protocol.
> My main reason for doing it over a year ago was that I did not want anyone
> mapping my external network as well as redirects.
If you are filtering datagrams that claim to come from your network
that originate externally, redirects are not an issue. They also can
be individually filtered.
Most of the external networks for the firewalls at my clients aren't
exactly hard to guess the map of, btw. -- router, set of bastion hosts
connected to it by a hub. If someone is going to figure out something
interesting based on knowing that, I've made a giant error in my
> But it also has been helpful in blocking some of these more recent
> attacks as well.
Which "some of these more recent attacks" would those be?
> I run ICMP internally and also think it should be run externally, I
> just don't think they should be mixed.
IP is an end to end protocol. ICMP is an integral part of IP. If you
allow IP through a network device, you have to allow ICMP to follow