OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
NFR Wizards Archive: Re: ICMP Packets.

Re: ICMP Packets.

tqbfpobox.com
Tue, 2 Jun 1998 11:26:24 -0500 (CDT)

> 1) Is there any reason that echo reply would need to be allowed out in response to an external request? I know this is the case for other ICMP messages such as packet-too-big, but I am not sure why echo-reply would ever be needed.

No. Lots of people use ECHO REPLY messages to encapsulate tunnels through
firewalls for things like sniffer logs. Filtering ECHO REPLY doesn't stop
this, but it makes it more irritating. Of course, if you want people
inside to be able to ping outside machines, you need to allow ECHO REPLY
messages inbound.

> 2) Is there a list of ICMP message types that are needed as opposed to ones that are just used for troubleshooting ( like echo, echo-reply ) that can be blocked without problems.

Not that I know of, but you should remember that for information gathering
purposes, blocking ECHO REQUEST messages is a pretty futile gesture. There
are many, many, many different types of packets that can be sent that will
elicit some form of response from most remote machines. This isn't limited
to ICMP; UDP messages can elicit ICMP errors, TCP ACK packets can elicit
RST's, malformed IP packets can elicit ICMP errors, etc, etc.

The fix for this is not to rely on packet filters.

-----------------------------------------------------------------------------
Thomas H. Ptacek The Company Formerly Known As Secure Networks, Inc.
-----------------------------------------------------------------------------
http://www.pobox.com/~tqbf "If you're so special, why aren't you dead?"

This archive was generated by hypermail 2.0b3 on Sat Jul 17 1999 - 07:11:00 CDT