Re: ICMP Packets.

tqbfpobox.com
Sat, 6 Jun 1998 03:33:33 -0500 (CDT)

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
• Next message: tqbfpobox.com: "Re: Speeds and feeds"
• Previous message: Andrew J. Luca: "RE: Speeds and feeds"
• In reply to: tqbfpobox.com: "Re: Speeds and feeds"
• Next in thread: Krammes,Jim: "RE: ICMP Packets."

> It hit me two minutes after I clicked on send that I hadn't worded
> my previous email correctly. Hadn't had enough caffeine yet. :(

> We allow *outbound*:

Sorry, didn't see this message until later in my mail spool.

> - echo (type 8/code 0)
> - parameter-problem (12/[0|1])
> - source-quench (4/0)
> - ttl-exceeded (11/[0|1])

> and deny all other ICMP outbound.

> Inbound we allow all ICMP.

This seems like a poor policy to me. By allowing arbitrary inbound ICMP
(and restricting ICMP transactions based on outbound responses) you open
yourself to whatever attacks may exist due to buggy implementations
mishandling messages --- a good filter design should shield you from any
potential sources of bugs on your internal machines.

If you want to allow internal hosts to ping outbound, filter inbound echo
requests and allow them outbound. If you want to be paranoid, filter
outbound echo reply messages, too. Admittedly, the only way to stop
traceroute from working is to filter the outbound TTL exceeded messages,
but you're not doing that here (perhaps your policy allows traceroutes).

-----------------------------------------------------------------------------
Thomas H. Ptacek The Company Formerly Known As Secure Networks, Inc.
-----------------------------------------------------------------------------
http://www.pobox.com/~tqbf "If you're so special, why aren't you dead?"

• Next message: tqbfpobox.com: "Re: Speeds and feeds"
• Previous message: Andrew J. Luca: "RE: Speeds and feeds"
• In reply to: tqbfpobox.com: "Re: Speeds and feeds"
• Next in thread: Krammes,Jim: "RE: ICMP Packets."

This archive was generated by hypermail 2.0b3 on Sat Jul 17 1999 - 07:11:22 CDT