Firewalls: Re: Firewalls replying with ICMP packets.

Firewalls
(March 1995)

Indexed By Thread: [Previous] [Next]

Subject:	Re: Firewalls replying with ICMP packets.
From:	Brent @ GreatCircle . COM (Brent Chapman)
Date:	Wed, 1 Mar 1995 18:10:27 -0800
To:	lavondes @ tidtest . total . fr, avalon @ coombs . anu . edu . au (Darren Reed)
Cc:	firewalls @ greatcircle . com (fw)

At 08:21 2/28/95, Michel Lavondes wrote:
>Darren Reed wrote :
>>
>> As some firewalls can be configured to reply to various packets with
>> ICMP messages, I'm wondering, which do they use ?  Just host unreachable ?
>
>If you have a filtering router as (part of) your firewall, you're limited
>to what the router will do (eg, ciscos will send HOST UNREACHABLE only,
>whether the packets is filtered out due to its addresses, protocol, port
>or just because of a true unknown destination.)
>
>A related question is, should your firewall send back anything at all or
>should you leave the sender wondering what happened to his nastygrams ?

I don't think the filtering router should send back ICMP messages in
response to packets dropped by filtering.

First, doing so gives an attacker a way to probe your filtering system, to
determine what it will and won't allow through; as we've seen in the recent
TCP sequence number attacks, there are things you can do if you can just
get packets into a network, even if you can't get answers back out
directly.

Second, your filters shouldn't get triggered that often anyway.  They're
only going to be triggered by things that violate your security policy, and
there just shouldn't be many such connections.  Letting these few attempted
connections simply time out isn't going to cause that many more packets to
flow as things retry before they time out.  Every packet dropped by
filtering here at GreatCircle.COM is logged; it amounts to a handful of
packets per day (usually less than a dozen).

It would be nice if you could return ICMP codes to only your internal
hosts, so that your users got immediate errors rather than timeouts, but I
don't think it's critical; it's more critical to keep attackers from having
a tool to probe your filtering.

-Brent

--
==  For info about the Internet Security Firewalls Tutorial and a schedule  ==
==  of upcoming dates, please send email to Tutorial-Info @
 GreatCircle .
 COM   ==
==============================================================================
==  Brent Chapman                                 Great Circle Associates   ==
==  Brent @
 GreatCircle .
 COM                         1057 West Dana Street     ==
==  +1 415 962 0841                               Mountain View, CA  94041  ==

Follow-Ups:

Re: Firewalls replying with ICMP packets.
From: mulligan @ incog . com

Indexed By Date	Previous:	Re[2]: DNS on firewall?? From: brian @ imcon . ilinx . com
Indexed By Date	Next:	Re: FW: questions about security & WWW browsers From: Brent @ GreatCircle . COM (Brent Chapman)
Indexed By Thread	Previous:	Re: Firewalls replying with ICMP packets. From: Bob Beck <beck @ cs . ualberta . ca>
Indexed By Thread	Next:	Re: Firewalls replying with ICMP packets. From: mulligan @ incog . com