|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
Subject: Re: [fw-wiz] ICMP blocking on PIX .4.4.1
From: dominik.ratajski
centrelink.gov.auDate: Thu May 04 2000 - 22:55:09 CDT
- Next message: Paul Boyer: "Re: [fw-wiz] RE: High Speed Firewalls"
- Previous message: hermit1: "Re: [fw-wiz] B.O.F."
- Maybe in reply to: majordomo: "[fw-wiz] ICMP blocking on PIX .4.4.1"
- Next in thread: GibsonBgruntal.com: "RE: [fw-wiz] ICMP blocking on PIX .4.4.1"
- Maybe reply: dominik.ratajskicentrelink.gov.au: "Re: [fw-wiz] ICMP blocking on PIX .4.4.1"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
majordomo <listsindifference.org> wrote:
>
> >
[I had written, in part:]
> > Allowing ICMP (or any connection-less protocol, such as UDP) *through*
> > the firewall is another issue entirely. Connection-less protocols are
> > not safe. Cannot be made safe. Other than perhaps allowing syslog
> > from the router to a syslog host, specifically, I don't see any
> > particular reason to allow any UDP through a firewall.
>
[Comments by Steve Bellovin noted.]
>
> Doesn't DNS use udp? As for the icmp issue, I agree with you.
Yes. (And TCP for zone transfers. But that is a different discussion.)
But it's not advisable to allow outside queries of ones internal DNS.
Regards,
Jim
-- Jim Seymour | PGP Public Key available at: jseymour
- Next message: Paul Boyer: "Re: [fw-wiz] RE: High Speed Firewalls"
- Previous message: hermit1: "Re: [fw-wiz] B.O.F."
- Maybe in reply to: majordomo: "[fw-wiz] ICMP blocking on PIX .4.4.1"
- Next in thread: GibsonBgruntal.com: "RE: [fw-wiz] ICMP blocking on PIX .4.4.1"
- Maybe reply: dominik.ratajskicentrelink.gov.au: "Re: [fw-wiz] ICMP blocking on PIX .4.4.1"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]