Firewall Wizards mailing list archives

Re: ICMP Packets.

From: Andrew Yeomans <andrew_yeomans () uk ibm com>
Date: Wed, 3 Jun 1998 12:46:08 +0000

The IBM Redbook "Protect and Survive Using IBM Firewall 3.1 for AIX", IBM
publication SG24-2577-02 has a good discussion on ICMP packets in section 3.1.2
and 6.20. This is not specific to the IBM product. You can find the book
on-line, plus ordering details,  at http://www.redbooks.ibm.com, use the
top-left search panel to look for "protect and survive". Unfortunately the
pictures in 6.20 have not been uploaded to the on-line book. They are described
in section 3.1.2, but to help you out, these are the summarised rules from 6.20
pictures:

Action Packet type        ICMP type         Direction
------ -----------        ---------         ---------
Permit ICMP echo request  type 8   code 0   Secure<->FW, FW<->Nonsecure
Permit ICMP echo reply    type 0   code 0   Secure<->FW, FW<->Nonsecure
Block  ICMP echo request  type 8   code 0   All directions
Block  ICMP echo reply    type 0   code 0   All directions
Permit outgoing redirect  type 5   code any Secure<--FW, FW-->Nonsecure
Block  ICMP redirect      type 5   code any All directions
Permit dest unreachable   type 3   code any Secure<->FW, FW<--Nonsecure
Block  dest unreachable   type 3   code any All directions
Permit source quench      type 4   code any Secure<->FW, FW<->Nonsecure
Permit time exceeded      type 11  code any Secure<->FW, FW<--Nonsecure
Permit time exceeded      type 11  code any Secure---routed-->Nonsecure
Block  time exceeded      type 11  code any All directions
Permit parameter problem  type 12  code any Secure<->FW, FW<->Nonsecure
Block  all ICMP           type any code any All directions

These are to be read sequentially, so the "block" rules mop up any
exceptions to the earlier permit rules. Note carefully the direction
arrows. These all assume a dual-homed firewall configuration.
Do read the text too, as it has some differences to the rules above
from the pictures, with explanations.

Andrew_Yeomans () uk ibm com,                      Installation Support Centre,
EMEA  Network  Computing  Software  and  e-business  Centre  of  Competence,
MP 3GS, IBM UK Ltd, 1 New Square, Bedfont Lakes, Feltham, Middlesex,TW14 8HB
Tel: +44-181-818-4288 Int: 36-4288 Fax: +44-181-818-5475 Pager: 01523-494985

"A program that has not been specified cannot be incorrect, it can only be
surprising."

Current thread:

Re: ICMP Packets., (continued)
- - - Re: ICMP Packets. Bennett Todd (Jun 04)
    - Re: ICMP Packets. Darren Reed (Jun 05)
    - Re: ICMP Packets. tqbf (Jun 07)
    - Re: ICMP Packets. Darren Reed (Jun 07)
    - Re: ICMP Packets. blast (Jun 08)
    - Re: ICMP Packets. Aleph One (Jun 09)
    - Re: ICMP Packets. Ge' Weijers (Jun 05)
    - Re: ICMP Packets. Bennett Todd (Jun 05)
    - Re: ICMP Packets. tqbf (Jun 04)
    - Re: ICMP Packets. Paul D. Robertson (Jun 05)
- Re: ICMP Packets. Andrew Yeomans (Jun 03)
- Re: ICMP Packets. john_smith (Jun 05)
  - Re: ICMP Packets.uy tqbf (Jun 07)
  - Re: ICMP Packets. Henry Hertz Hobbit (Jun 07)
- Re: ICMP Packets. john_smith (Jun 05)
  - Re: ICMP Packets. tqbf (Jun 07)
- Re: ICMP Packets. Vern Paxson (Jun 12)
  - Re: ICMP Packets. Aleph One (Jun 12)
- RE: ICMP Packets. Krammes,Jim (Jun 13)