> It hit me two minutes after I clicked on send that I hadn't worded
> my previous email correctly. Hadn't had enough caffeine yet. :(
> We allow *outbound*:
Sorry, didn't see this message until later in my mail spool.
> - echo (type 8/code 0)
> - parameter-problem (12/[0|1])
> - source-quench (4/0)
> - ttl-exceeded (11/[0|1])
> and deny all other ICMP outbound.
> Inbound we allow all ICMP.
This seems like a poor policy to me. By allowing arbitrary inbound ICMP
(and restricting ICMP transactions based on outbound responses) you open
yourself to whatever attacks may exist due to buggy implementations
mishandling messages --- a good filter design should shield you from any
potential sources of bugs on your internal machines.
If you want to allow internal hosts to ping outbound, filter inbound echo
requests and allow them outbound. If you want to be paranoid, filter
outbound echo reply messages, too. Admittedly, the only way to stop
traceroute from working is to filter the outbound TTL exceeded messages,
but you're not doing that here (perhaps your policy allows traceroutes).
-----------------------------------------------------------------------------
Thomas H. Ptacek The Company Formerly Known As Secure Networks, Inc.
-----------------------------------------------------------------------------
http://www.pobox.com/~tqbf "If you're so special, why aren't you dead?"
Received on Jun 07 1998
Intro
