Firewall Wizards mailing list archives
Re: ICMP blocking on PIX .4.4.1
From: "Steven M. Bellovin" <smb () research att com>
Date: Thu, 27 Apr 2000 21:06:11 -0400
In message <20000427134048.DAFEC42FF@jimsun>, Jim Seymour writes:
Allowing ICMP (or any connection-less protocol, such as UDP) *through* the firewall is another issue entirely. Connection-less protocols are not safe. Cannot be made safe. Other than perhaps allowing syslog from the router to a syslog host, specifically, I don't see any particular reason to allow any UDP through a firewall.
You can allow inbound UDP if it is to a known-safe destination. You're
certainly right that without connection semantics, it's very hard to link a
reply to an outbound query.
As for ICMP -- in many cases, it's vital to allow the 'fragmentation needed'
ICMP message through, or Path MTU Discovery will break. And that, in turn,
leads to black holes. It's especially problematic if routes go through
tunnels (i.e., IPsec), since that cuts the effective MTU of that link below
the 1500 bytes that is generally accepted.
--Steve Bellovin
Current thread:
- ICMP blocking on PIX .4.4.1 phred (Apr 20)
- Re: ICMP blocking on PIX .4.4.1 R. DuFresne (Apr 21)
- Re: ICMP blocking on PIX .4.4.1 Bill Pennington (Apr 24)
- Re: ICMP blocking on PIX .4.4.1 Adam Olson (Apr 26)
- Re: ICMP blocking on PIX .4.4.1 nawk (Apr 26)
- Re: ICMP blocking on PIX .4.4.1 Jim Seymour (Apr 27)
- Re: ICMP blocking on PIX .4.4.1 R. DuFresne (Apr 28)
- ICMP blocking on PIX .4.4.1 majordomo (Apr 28)
- Re: ICMP blocking on PIX .4.4.1 Jim Seymour (Apr 27)
- <Possible follow-ups>
- Re: ICMP blocking on PIX .4.4.1 Jeffery . Gieser (Apr 24)
- Re: ICMP blocking on PIX .4.4.1 Steven M. Bellovin (Apr 28)