RE: how to block ICMP tunneling?

["Marcus J. Ranum" <mjr () nfr net>]

> Here is bit regarding our ping daemon...

First, let me _thank_ you for such a technically informative
posting on this topic. The other vendors should do as well. :)

> It does not send the original client data payload in the echo request if the
> firewall is not the target of the ping - pingd will construct a new echo
> request in this case with a new sequence number, new TTL (yes this affects
> traceroute), and new optional data (with new checksum) so that people can't
> "tunnel" other protocols ontop of ICMP echo.

_cooL!_

> ICCMP echos are also subject to firewall rules.  If there is no rule to
> allow ping, then all such packets get dropped.  If we expect the ping to
> come from a tunnel and it does not, we drop it.  If the ping came over a
> tunnel and interface is not configured to force tunnel traffic up to the
> proxies, then the ping packets are sent unmodified.  Of course, the firewall
> driver makes all of its usual checks (spoofing, IP headers, etc) for ping
> packets like any other packet it processes.
>
> I hope that this clears things up with respect to the Raptor Firewall and
> ICMP!

Totally. I wish your competitors were as forthcoming with
hard facts. :)  I know that the firewalls I built in the
distant past didn't do anything near as nice with ICMP. :)

mjr.
--
Marcus J. Ranum, CEO, Network Flight Recorder, Inc.
work - http://www.nfr.net
home - http://www.clark.net/pub/mjr