ICMP Packets.

Bennett Todd bet@rahul.net
Thu, 4 Jun 1998 10:48:57 -0700


1998-06-04-07:11:54 Matthew Green:
> [I] was surprised at the number of people advocating the "block all
> icmp packets" approach.

I haven't seen too many such. Rather, the original poster who started
this thread asked _what_ sort of ICMP packets (like the ``need frag''
you refer to for path MTU discovery) we should let through because
they're actually necessary.

Even Perry has slipped as far as to concede that it might be appropriate
to block some ICMP types. What those of us of the ``old school'' are
hoping is that someone will give us a list of the ICMP packet types that
_are_ needed, along with why --- some of us are keen fans of the ``block
everything except that which is explicitly permitted'' style of firewall
config.

> if you really care about security such that you think blocking ICMP
> messages is a good thing, _why_ don't you also block normal IP packets
> as well?

I do, indeed --- I block all IP packets except a very select few that I
explictly choose to let in. Likewise UDP. I'd be inclined to expect that
the same approach would be appropriate for ICMP, no?

So, while I've not yet looked at the RFC to translate the gist into
actual packet types suitable for plugging into a filter, I have gotten a
gist --- I came into this knowing about the need for the fragmentation
packet for path MTU discovery, and Perry just taught me that I'll need
to let some more through so people getting SYN-ed with spoofed source
can get an ``nope, ain't me'' back from my server.

We're getting there....

-Bennett