Georg Chytil <chytil @
hp4at .
eunet .
co .
at> writes:
# When establishing the filters on our cisco I use to block out icmp too,
# due to tradition & habit.
# Thinking about this I could not come up with an explanation
# beside some possible icmp-redirects which may be forged.
# Is there any other gain in blocking icmp on a firewall-router ?
I consider most of the ICMP messages harmless from a security
standpoint, and allow them through. The only one I routinely block is
ICMP redirect.
Some programs get confused if they can "ping" a host behind the
gateway, but not open an IP connection to it. I think that's poor
design of the programs; they should use an in-band equivalent to
"ping" for their connectivity test. For instance, many RPC-based
services (including NFS) define a "null" procedure, which simply takes
no arguments and always returns "succeed" without actually doing
anything; programs trying to determine connectivity can thus send a
"null" command to the particular service they're interested in.
-Brent
--
Brent Chapman Great Circle Associates
Brent @
GreatCircle .
COM 1057 West Dana Street
+1 415 962 0841 Mountain View, CA 94041
|
|
