Firewall Wizards mailing list archives

Previous By Date Next
Previous By Thread Next

Re: TTL, works with Cisco ACL's to :)

From: "Alex Goldney" <agoldney () qantas com au>
Date: Thu, 9 Nov 2000 18:09:35 +1000

I know a lot of sites don't do good egress filtering, and I guess that is
the point that needs to be hammered home.....

Alex.




From: Lance Spitzner <lance () spitzner net>@nfr.com on 08/11/2000 18:31 CST

Sent by:  firewall-wizards-admin () nfr com


To:   Alex Goldney <agoldney () qantas com au>
cc:   firewall-wizards () nfr com, nmap-hackers () insecure org
Subject:  Re: [fw-wiz] TTL, works with Cisco ACL's to :)


On Thu, 9 Nov 2000, Alex Goldney wrote:


OK, so you aren't blocking any ICMP packets with access-lists.  That

should

avoid the problem, no?  Of course, it can be considered a bit unfriendly

to

block the lot.

PATH MTU discovery stuff should be allowed at least in general.  I guess
that opens up the possiblility for the same type of attack if the MTU for
one of your routers links is less than the MTU of the incoming internet
link.  This case should be pretty rare though.


Keep in mind, many Firewalls/Screening Routers do not block ICMP error
messages.  Those that do block ICMP error messages block them inbound from
the untrusted networks, such as the Internet, or block them inbound from
internal networks.  However, most rulebases/ACLs do NOT block ICMP error
messages generated by the filtering device itself.

Keep in mind, this is a generalization based on my experience.

lance


_______________________________________________
firewall-wizards mailing list
firewall-wizards () nfr com
http://www.nfr.com/mailman/listinfo/firewall-wizards




_______________________________________________
firewall-wizards mailing list
firewall-wizards () nfr com
http://www.nfr.com/mailman/listinfo/firewall-wizards
Previous By Date Next
Previous By Thread Next

Current thread: