Nmap Security Scanner
*Intro
*Ref Guide
*Install Guide
*Download
*Changelog
*Book
*Docs
Security Lists
*Nmap Hackers
*Nmap Dev
*Bugtraq
*Full Disclosure
*Pen Test
*Basics
*More
Security Tools
*Pass crackers
*Sniffers
*Vuln Scanners
*Web scanners
*Wireless
*Exploitation
*Packet crafters
*More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:
edgeos



Firewall Wizards: Re: ICMP Packets.

Re: ICMP Packets.

From: Alec Muffett - SunLabs <Alec.Muffett_at_UK.Sun.COM>
Date: Tue, 02 Jun 1998 14:29:51 +0100

>1) Is there any reason that echo reply would need to be allowed out in =
>response to an external request? I know this is the case for other ICMP =
>messages such as packet-too-big, but I am not sure why echo-reply would =
>ever be needed

Sometimes, if you have your own DNS domain, your NIC will want to ping your
DNS server at regular intervals to check that it is alive; since the DNS
server is likely to be inside your perimeter router, this is one possible
instance where it may be necessary. I saw this happen with ".com.ru", IIRC.

Nonetheless, as other have said, ban *everything* and then only explicitly
permit the minimum set of functionality that is required for business function.

        - alec 

-- 
    alec muffett, sun microsystems laboratories, alec.muffett @ uk.sun.com
               birds and planes go through the rainbow every day
Received on Jun 02 1998
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
edgeos