Firewalls: RE: Questions about ICMP

Firewalls
(April 1998)

Indexed By Thread: [Previous] [Next]

Subject:	RE: Questions about ICMP
From:	Mike Batchelor <mbatchelor @ citysearch . com>
Date:	Wed, 8 Apr 1998 17:13:23 -0800
To:	firewalls @ GreatCircle . COM
References:	<3 . 0 . 5 . 32 . 19980408135627 . 0083e900 @ mailgate . nytimes . com>

OK, I got a question about this.  I have Gauntlet 3.2 on Irix 6.2.  It 
uses the native Irix ipfilterd to prevent packet forwarding, and a 
number of other interesting things.  I also provide outgoing socks5 
service on the firewall, in addition to the Gauntlet proxies.  The 
socks5 server from socks.nec.com has provisions for a socks-ified 
traceroute.  Basically, the socks traceroute client traces to the 
socks server, then asks the socks server to run traceroute for the 
rest of the way to the destination, and returns the results to the 
invoking user.

Now, this did not work until I modified the ipfilterd.conf to stop 
dropping ICMP messages on the outside interface.  Gauntlet rightly 
sets it up to drop all ICMP.  With all ICMP blocked, the traceroute 
that socks5 executes does not hear the return ICMP messages, and the 
socks-ified traceroute fails to work.  But our internal network is not 
routeable, so my assumption is that this is fairly harmless, since no 
one on the outside can get a packet to a unrouteable IP address.  The 
farthest they can go is to the firewall itself, and the risk of DOS 
and other bad things is acceptable if in return, we can get the 
diagnostic benefits of being able to trace to outside networks.

So as best as I can tell, since the protected network is not 
routeable, there is no way an outside party can trace to our inside 
network.  My understanding is, the only way to trace from the outside 
to the inside, is if you have a host on the net between the firewall 
and the router.  You could then set up routes to the internal network. 
But the firewall prevents even this from succeeding, since Gauntlet 
does not provide a generic UDP relay.  As best I can tell, allowing 
ICMP on the firewall outside interface places only the firewall at 
some extra risk.  Does anyone agree, disagree?  Have I misunderstood 
something important? :)

Of course, I can tighten the ICMP by dropping all incoming ICMP 
message types except the ones involved with ping and traceroute (3 and 
11, I believe).  I have to do this at the router, since Irix ipfilterd 
does not distinguish ICMP message types.

_______________________________________________________________
UNIX Team - The difference between theory and practice is often 
greater in practice than in theory.
04/08/98 17:13:24

References:

RE: Questions about ICMP
From: Gordy Thompson <gordy @ nytimes . com>

Indexed By Date	Previous:	Re: Questions about ICMP From: rdew @ el . nec . com (Bob De Witt)
Indexed By Date	Next:	firewalls @ GreatCircle . COM From: alchodu @ wetwetwet . com
Indexed By Thread	Previous:	RE: Questions about ICMP From: Gordy Thompson <gordy @ nytimes . com>
Indexed By Thread	Next:	RE: Questions about ICMP From: Christopher Zarcone <czarcone @ vf . lmco . com>