Firewalls: Re: ICMP protection.

Firewalls
(July 1996)

Indexed By Thread: [Previous] [Next]

Subject:	Re: ICMP protection.
From:	Paul Ferguson <pferguso @ cisco . com>
Date:	Tue, 30 Jul 1996 08:23:53 -0400
To:	Michel Lavondes <lavondes @ tidtest . total . fr>
Cc:	Steve Lang <stevel @ wave . co . nz>

ICMP packets can be filtered by an ICMP message type name or ICMP message
type and code name:

    administratively-prohibited 
    alternate-address 
    conversion-error 
    dod-host-prohibited 
    dod-net-prohibited 
    echo 
    echo-reply 
    general-parameter-problem 
    host-isolated 
    host-precedence-unreachable 
    host-redirect 
    host-tos-redirect 
    host-tos-unreachable 
    host-unknown 
    host-unreachable 
    information-reply 
    information-request 
    mask-reply 
    mask-request 
    mobile-redirect 
    net-redirect 
    net-tos-redirect 
    net-tos-unreachable 
    net-unreachable 
    network-unknown 
    no-room-for-option 
    option-missing 
    packet-too-big 
    parameter-problem 
    port-unreachable 
    precedence-unreachable 
    protocol-unreachable 
    reassembly-timeout 
    redirect 
    router-advertisement 
    router-solicitation 
    source-quench 
    source-route-failed 
    time-exceeded 
    timestamp-reply 
    timestamp-request 
    traceroute 
    ttl-exceeded 
    unreachable 

Example:

 access-list 102 permit icmp any any echo
 access-list 102 permit icmp any any echo-reply

It's in the documentation.  ;-)

- paul


At 12:00 PM 7/30/96 +0100, Michel Lavondes wrote:

>
>In message <2 .
 2 .
 32 .
 19960730055629 .
 00aa1250 @
 wave .
 co .
 nz>, Steve Lang writes:
>> Hi.
>> 
>> I have been monitoring this list for a while now, and have a question
>> with regards to ICMP, and the protection from them.
>> 
>> I am searching for information about protecting a network from 
>> spurious icmp's, with specific reference to cisco access lists.
>> 
>> There is likely to be several references available, but I have
>> yet to find them. Any pointers to more information would be
>> appreciated.
>> 
>AFAIR, blocking (or letting through) all ICMPs from a given source
>to a given destination has been around for a long time (since 9.1 ?).
>
>I think that blocking specific ICMP types came out with either 10.3 or
>11.x.
>
>For further info, ask cisco @
 spot .
 colorado .
 edu or look at :
>http://www.cisco.com/
>
>HTH
>
>Michel Lavondes (lavondes @
 tidtest .
 total .
 fr)
>#include <disclaimer.h>
>Governments are guilty until proved innocent
>

--
Paul Ferguson                                           ||        ||
Consulting Engineering                                  ||        ||
Reston, Virginia   USA                                 ||||      ||||
tel: +1.703.716.9538                               ..:||||||:..:||||||:..
e-mail: pferguso @
 cisco .
 com                         c i s c o S y s t e m s

Follow-Ups:

Re: ICMP protection.
From: "W.C. Epperson" <epperson @ vak12ed . edu>

Indexed By Date	Previous:	DESZIP From: Julian Assange <proff @ suburbia . net>
Indexed By Date	Next:	RE: Java security From: "Paul D. Robertson" <proberts @ clark . net>
Indexed By Thread	Previous:	Re: ICMP protection. From: Michel Lavondes <lavondes @ tidtest . total . fr>
Indexed By Thread	Next:	Re: ICMP protection. From: "W.C. Epperson" <epperson @ vak12ed . edu>