Firewall Wizards mailing list archives

Re: Blocking ICMP with ipchains

From: "Carric Dooley" <carric () com2usa com>
Date: Fri, 14 Jan 2000 12:01:59 -0500

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

That is kind of the opposite way to look at it...  Block ALL ICMP and
then allow:

echo reply
source quench
destination unreachable
(and time exceeded if you use traceroute a lot)

This just let's a response come back when you ping a host, lets
routers tell you you are sending too much traffic and that your
destination is unreachable, and the Time Exceeded I left open to get
responses when doing a traceroute.


Carric Dooley
Network Security Consultant

"A little inaccuracy sometimes saves a ton of explanation. " 
- - H. H. Munro (Saki) (1870-1916) 
- ----- Original Message ----- 
From: <wwebb () adni net>
To: <firewall-wizards () nfr net>
Sent: Tuesday, January 11, 2000 7:18 PM
Subject: Blocking ICMP with ipchains

I've heard that it is not wise to block all ICMP operations.  Such 
being the case, which of these ICMP operations are safe to block 
without causing serious problems: 

echo-reply (pong)
destination-unreachable
   network-unreachable
   host-unreachable
   protocol-unreachable
   port-unreachable
   fragmentation-needed
   source-route-failed
   network-unknown
   host-unknown
   network-prohibited
   host-prohibited
   TOS-network-unreachable
   TOS-host-unreachable
   communication-prohibited
   host-precedence-violation
   precedence-cutoff
source-quench
redirect
   network-redirect
   host-redirect
   TOS-network-redirect
   TOS-host-redirect
echo-request (ping)
router-advertisement
router-solicitation
time-exceeded (ttl-exceeded)
   ttl-zero-during-transit
   ttl-zero-during-reassembly
parameter-problem
   ip-header-bad
   required-option-missing
timestamp-request
timestamp-reply
address-mask-request
address-mask-reply

Thanks for any assistance.


-----BEGIN PGP SIGNATURE-----
Version: PGPfreeware 6.5.1 for non-commercial use <http://www.pgp.com>

iQA/AwUBOH9WheuEoPqp8SMeEQJO2QCgj7yC219XFbuUBGuWbQp1E7hX8ywAoMsW
UzFROSC1kouTn7ca8+wHQnCH
=BU8q
-----END PGP SIGNATURE-----

Current thread:

Blocking ICMP with ipchains wwebb (Jan 13)
- Re: Blocking ICMP with ipchains Mikael Olsson (Jan 15)
- Re: Blocking ICMP with ipchains Carric Dooley (Jan 16)
- <Possible follow-ups>
- RE: Blocking ICMP with ipchains peter . schawacker (Jan 16)
- RE: Blocking ICMP with ipchains Ryan Russell (Jan 17)
- Re: Blocking ICMP with ipchains Steven M. Bellovin (Jan 17)
- RE: Blocking ICMP with ipchains Richard . Smyth (Jan 17)
- RE: Blocking ICMP with ipchains Staggs, Michael (Jan 18)