Firewall Wizards mailing list archives

RE: blocking icmp type 3

From: "Ofir Arkin" <ofir () itcon-ltd com>
Date: Sat, 26 Aug 2000 23:03:08 +0200

Jan,

When blocking incoming ICMP Destination Unreachable
Network/Host/Protocol/Port Unreachable ICMP error messages coming from the
Internet, host(s) would hang when the destination system's network is
unreachable/when a host is unreachable/when a protocol on the destination
machine is not available/a port on a destination machine is closed. They all
would hang until the timeout counter would reach zero.
Sometimes having a little inconveniently is better than having the dangers
other types of ICMP error messages inside your network can introduce.

For more information I suggest you read my paper "ICMP Usage In Scanning"
available in PDF format from
www.sys-security.com.

Ofir Arkin  [ofir () itcon-ltd com]
Senior Security Analyst
ITcon, Israel.
http://www.itcon-ltd.com

Personal Web page: http://www.sys-security.com

"Opinions expressed do not necessarily
represent the views of my employer."

-----Original Message-----
From: firewall-wizards-admin () nfr net
[mailto:firewall-wizards-admin () nfr net]On Behalf Of Jan Stifter
Sent: Friday, August 25, 2000 7:42 AM
To: firewall-wizards () nfr net
Subject: [fw-wiz] blocking icmp type 3


hi gurus,
recently, i blocked on a firewall box (3 ethernet interfaces, one to
provider, one for private ip's, one for official) icmp almost
completely.

i allowed only incoming and outgoing icmp type 3 code 4
(fragmentation-needed), due to a paper describing the importance of
this type of icmp-message (www.worldgate.com/~marcs/mtu/)

it happened then, that there were "hangers" in the network, so that
people from inside could not reach a site outside immediately.

can anyone explain to me, what other icmp types i should allow to
avoid any networking problems? if possible, i would like to block as
many icmp types as possible.

many thanks in advance

jan

---
Jan Stifter
http://www.medres.ch/~jstifter/

_______________________________________________
Firewall-wizards mailing list
Firewall-wizards () nfr net
http://www.nfr.net/mailman/listinfo/firewall-wizards



_______________________________________________
Firewall-wizards mailing list
Firewall-wizards () nfr net
http://www.nfr.net/mailman/listinfo/firewall-wizards

Current thread:

blocking icmp type 3 Jan Stifter (Aug 25)
- Re: blocking icmp type 3 Kimmo Suominen (Aug 26)
- Re: blocking icmp type 3 Alexander Schreiber (Aug 26)
- Re: blocking icmp type 3 Patrick Darden (Aug 26)
- RE: blocking icmp type 3 Ofir Arkin (Aug 26)
- Re: blocking icmp type 3 Gé Weijers (Aug 28)