Hi Frederic,

> Although I _could_ agree as far as a firewalls are concerned, I don't
> when it comes to routers.
> Blocking/droping any ICMP packet usually turns into a real nightmare
> when you've to perform troubleshooting on a wide network.

Please don't spread the word that ICMP only is for troubleshooting
networks. ICMP has it's uses beside "PING", the most important one
being "Path-MTU-Discovery" which will break when filtering all
ICMP packets! [1]

There is a really frightening number of clueless admins which misconfigure
their firewalls this way!

        Chris

[1] the canonical example being a webserver behind a firewall which blocks
    all ICMP packets. If the webserver has path-mtu-discovery enabled the
    following will happen when you (as a client) are sitting behind a
    smaller-than-ethernet-mtu link (PPPoE DSL or Tunnel for example):

    1.) www-server sends data-packet (as much as the local ethernet permits)
        to client
    2.) a router between server and client will drop this packet because:
         - the link MTU (PPPoE, Tunnel) is too small
         - the packet has it's "don't fragment" bit set (because of
           the webserver trying path-mtu-discovery)
    2b) the router will send a ICMP-fragmentatin-needed-but-DF-set message
        to the webserver
    3.) the firewall in front of the webserver drops this packet
    4.) the webserver will never be informed that his packets are
        too large and will try to send too large packets which never
        reach the client.

-- 
And remember - if it ain't broke, hit it again. -- Foon
----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]