mailing list archives
Re: Fw rule set question
From: Miguel Dilaj <miguel.dilaj () oissg org>
Date: Wed, 01 Aug 2007 14:49:10 -0300
Ivan . escribió:
there are useful ICMP types, depends on your network
On 7/31/07, Juan B <juanbabi () yahoo com> wrote:
I am evaluating a Fw rule set.
I see that source quench,icmp unreacheble and time
execeeded (all icmp) is allowed from the internet to
the internal network. this is a cisco pix. is it a
requirmnet that those rules will be opened? what
happened if I disbale them? is there a security risk
here? I dont rememmber seeing those rules opened in
any fw I saw..
thanks a lot !
I see the point in allowing network troubleshooting traffic (ICMP,
traceroute) from the upstream ISP, but not in allowing it from everywhere.
ANY answer received from a system will allow in enumeration, at least if
the answer comes from the system itself and is not generated by a
firewall in the middle.