Great Circle Associates Firewalls
(October 1992)

Indexed By Date: [Previous] [Next] Indexed By Thread: [Previous] [Next]

Subject: Re: icmp considered dangerous ?
From: Brent Chapman <brent @ GreatCircle . COM>
Date: Thu, 29 Oct 92 08:45:40 -0800
To: Firewalls @ GreatCircle . COM
In-reply-to: Your message of Thu, 29 Oct 92 13:19:51 MEZ

Georg Chytil  <chytil @
 hp4at .
 eunet .
 co .
 at> writes:

# When establishing the filters on our cisco I use to block out icmp too,
# due to tradition & habit.
# Thinking about this I could not come up with an explanation
# beside some possible icmp-redirects which may be forged.
# Is there any other gain in blocking icmp on a firewall-router ?

I consider most of the ICMP messages harmless from a security
standpoint, and allow them through.  The only one I routinely block is
ICMP redirect.

Some programs get confused if they can "ping" a host behind the
gateway, but not open an IP connection to it.  I think that's poor
design of the programs; they should use an in-band equivalent to
"ping" for their connectivity test.  For instance, many RPC-based
services (including NFS) define a "null" procedure, which simply takes
no arguments and always returns "succeed" without actually doing
anything; programs trying to determine connectivity can thus send a
"null" command to the particular service they're interested in.

Brent Chapman                                   Great Circle Associates
Brent @
 GreatCircle .
 COM                           1057 West Dana Street
+1 415 962 0841                                 Mountain View, CA  94041

Indexed By Date Previous: Re: liabilities of ports >1023
From: Leland K. Neely <lkn @ s1 . gov>
Next: Re: liabilities of ports >1023
From: Brent Chapman <brent @ GreatCircle . COM>
Indexed By Thread Previous: Re: icmp considered dangerous ?
From: jim @ tadpole . com (Jim Thompson)
Next: liabilities of ports >1023
From: "USA::JMA21624" <JMA21624%USA . decnet @ usav01 . glaxo . com>

Search Internet Search