Home page logo
/

firewall-wizards logo Firewall Wizards mailing list archives

Re: TTL, works with Cisco ACL's to :)
From: "Alex Goldney" <agoldney () qantas com au>
Date: Thu, 9 Nov 2000 18:09:35 +1000


I know a lot of sites don't do good egress filtering, and I guess that is
the point that needs to be hammered home.....

Alex.




From: Lance Spitzner <lance () spitzner net>@nfr.com on 08/11/2000 18:31 CST

Sent by:  firewall-wizards-admin () nfr com


To:   Alex Goldney <agoldney () qantas com au>
cc:   firewall-wizards () nfr com, nmap-hackers () insecure org
Subject:  Re: [fw-wiz] TTL, works with Cisco ACL's to :)


On Thu, 9 Nov 2000, Alex Goldney wrote:

OK, so you aren't blocking any ICMP packets with access-lists.  That
should
avoid the problem, no?  Of course, it can be considered a bit unfriendly
to
block the lot.

PATH MTU discovery stuff should be allowed at least in general.  I guess
that opens up the possiblility for the same type of attack if the MTU for
one of your routers links is less than the MTU of the incoming internet
link.  This case should be pretty rare though.

Keep in mind, many Firewalls/Screening Routers do not block ICMP error
messages.  Those that do block ICMP error messages block them inbound from
the untrusted networks, such as the Internet, or block them inbound from
internal networks.  However, most rulebases/ACLs do NOT block ICMP error
messages generated by the filtering device itself.

Keep in mind, this is a generalization based on my experience.

lance


_______________________________________________
firewall-wizards mailing list
firewall-wizards () nfr com
http://www.nfr.com/mailman/listinfo/firewall-wizards




_______________________________________________
firewall-wizards mailing list
firewall-wizards () nfr com
http://www.nfr.com/mailman/listinfo/firewall-wizards


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]