From owner-freebsd-security  Tue Jun 15  7:57:35 1999
Delivered-To: freebsd-security@freebsd.org
Received: from mail.tellique.de (big-gw.tellique.de [195.126.133.179])
	by hub.freebsd.org (Postfix) with ESMTP id 9CC8E15627
	for <freebsd-security@FreeBSD.ORG>; Tue, 15 Jun 1999 07:57:19 -0700 (PDT)
	(envelope-from ni@tellique.de)
Received: from tellique.de (nolde.tellique.de [62.144.106.52])
	by mail.tellique.de (8.8.7/8.8.8) with ESMTP id QAA05519;
	Tue, 15 Jun 1999 16:56:49 +0200
Message-ID: <376669B1.F7E6A746@tellique.de>
Date: Tue, 15 Jun 1999 16:56:49 +0200
From: Juergen Nickelsen <ni@tellique.de>
Organization: Tellique Kommunikationstechnik GmbH, Germany
X-Mailer: Mozilla 4.6 [en] (WinNT; U)
X-Accept-Language: de,en
MIME-Version: 1.0
To: sporkl@ix.netcom.com
Cc: freebsd-security@FreeBSD.ORG
Subject: Re: firewalls
References: <Pine.BSF.4.05.9906121112550.6023-100000@pigstuy.penguinpowered.com>
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org

Spike wrote:

> Which are appropriate to block?

On my own firewall, I let pass the ICMP types

  0     Echo Reply                               [RFC792]
  3     Destination Unreachable                  [RFC792]
  4     Source Quench                            [RFC792]
  8     Echo                                     [RFC792]
 11     Time Exceeded                            [RFC792]
 12     Parameter Problem                        [RFC792]
 13     Timestamp                                [RFC792]
 14     Timestamp Reply                          [RFC792]
 15     Information Request                      [RFC792]
 16     Information Reply                        [RFC792]
 17     Address Mask Request                     [RFC950]
 18     Address Mask Reply                       [RFC950]
 30     Traceroute                              [RFC1393]
 31     Datagram Conversion Error               [RFC1475]

(excerpted from RFC 1700)

For completeness, these are the other types that are blocked:

  1     Unassigned                                  [JBP]
  2     Unassigned                                  [JBP]
  5     Redirect                                 [RFC792]
  6     Alternate Host Address                      [JBP]
  7     Unassigned                                  [JBP]
  9     Router Advertisement                    [RFC1256]
 10     Router Selection                        [RFC1256]
 19     Reserved (for Security)                    [Solo]
 20-29  Reserved (for Robustness Experiment)        [ZSu]
 32     Mobile Host Redirect              [David Johnson]
 33     IPv6 Where-Are-You                 [Bill Simpson]
 34     IPv6 I-Am-Here                     [Bill Simpson]
 35     Mobile Registration Request        [Bill Simpson]
 36     Mobile Registration Reply          [Bill Simpson]
 37-255 Reserved                                    [JBP]

I am not *really* sure if this is all ok, and I would appreciate a
more authoritative response.

Greetings, Juergen.

-- 
Juergen Nickelsen <ni@tellique.de>
Tellique Kommunikationstechnik GmbH
Gustav-Meyer-Allee 25, 13355 Berlin, Germany
Tel. +49 30 46307-552 / Fax +49 30 46307-579


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message