Home page logo
/

firewall-wizards logo Firewall Wizards mailing list archives

Re: TTL, works with Cisco ACL's to :)
From: Lance Spitzner <lance () spitzner net>
Date: Wed, 8 Nov 2000 18:31:44 -0600 (CST)

On Thu, 9 Nov 2000, Alex Goldney wrote:

OK, so you aren't blocking any ICMP packets with access-lists.  That should
avoid the problem, no?  Of course, it can be considered a bit unfriendly to
block the lot.

PATH MTU discovery stuff should be allowed at least in general.  I guess
that opens up the possiblility for the same type of attack if the MTU for
one of your routers links is less than the MTU of the incoming internet
link.  This case should be pretty rare though.

Keep in mind, many Firewalls/Screening Routers do not block ICMP error 
messages.  Those that do block ICMP error messages block them inbound from
the untrusted networks, such as the Internet, or block them inbound from
internal networks.  However, most rulebases/ACLs do NOT block ICMP error
messages generated by the filtering device itself.

Keep in mind, this is a generalization based on my experience.

lance


_______________________________________________
firewall-wizards mailing list
firewall-wizards () nfr com
http://www.nfr.com/mailman/listinfo/firewall-wizards


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]