Home page logo

fulldisclosure logo Full Disclosure mailing list archives

Re: ICMP (was: daily internet traffic report)
From: James Edwards <hackerwacker () cybermesa com>
Date: Sun, 17 Oct 2004 16:35:13 -0600

On Sun, 2004-10-17 at 15:46, Cedric Blancher wrote:
Le dim 17/10/2004 à 22:21, James Edwards a écrit :
So, blocking ***all*** ICMP ***types*** is bad but you can block some
***types*** without getting into trouble. Till you understand that all
the types do in relation to networking I would leave the alone.

Nowadays, using a decent stateful firewall allows one to get rid of ICMP
filtering by associating ICMP errors to existing connections. As an
example, when filtering using Netfilter, ICMP errors triggered by known
IP connections are recognized as such (i.e. RELATED state) and thus can
be filtered in a different way unsollicited ones (i.e. INVALID state)

This kind of feature allows one not to block valid ICMP stuff and keep
away from direct ICMP solicitations you can filter the way you want.

My 0.02€...

That is great till you want to run a server behind that firewall.
The bigger picture, to me, is you gain little in security by blocking ICMP.


Attachment: signature.asc
Description: This is a digitally signed message part

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]