> > I have heard about the danger with ICMP packet ( shutdown and the
> > possibility to read and send data). Should we deny access for ICMP
> > packet in our DMZ because of this danger ?
> > What is your opinion about this.
> The ideal solution is to only accept ICMP packets from sources you
> know to be **trusted** hosts, and not from the general Internet
> community. I think this will preserve your functionality, while
> limiting your exposure. (Ignoring the fact that IP spoofing could
> completely circumvent this testing).
Two or Three months ago I had a curious experience about ICMP. I was
protecting a web site using a packet filter firewall, allowing ONLY WEB
accesses and ICMP pings (static routes, no problem :). All other packets
were discarded. Then I received several reports from especific ISPs (two
or three): they could connect to our site, but they couldn't retrieve
any page. Nevertheless, commands like "HEAD" or errors like "page not
found" worked fine. Logs showed complete page tranfers!.
The problem was that we filtered ICMPs about fragmentation requests.
Fragmentation were managed correctly most of the time, since that issue
were made at the (remote) router with small MTU, the usual step. But
some ISPs where sending us ICMP packets asking for fragmentation in the
origin (CISCO 761?? bug???), and we were discarding them.
My step was enable ICMP Need Fragment in order to allow MTU path
discovery, and thing are going fine since that.
So, take care about ICMP.
--
Jesus Cea Avion _/_/ _/_/_/ _/_/_/
jcea @
argo .
es http://www.argo.es/~jcea/ _/_/ _/_/ _/_/ _/_/ _/_/
_/_/ _/_/ _/_/_/_/_/
PGP Key Available at KeyServ _/_/ _/_/ _/_/ _/_/ _/_/
"Things are not so easy" _/_/ _/_/ _/_/ _/_/ _/_/ _/_/
"My name is Dump, Core Dump" _/_/_/ _/_/_/ _/_/ _/_/
"El amor es poner tu felicidad en la felicidad de otro" - Leibnitz
References:
|
|
