Date: 15 Jun 1999 18:03:48 +0200 From: Dag-Erling Smorgrav <des@flood.ping.uio.no> To: Juergen Nickelsen <ni@tellique.de> Cc: sporkl@ix.netcom.com, freebsd-security@FreeBSD.ORG Subject: Re: firewalls Message-ID: <xzpk8t5e9i3.fsf@flood.ping.uio.no> In-Reply-To: Juergen Nickelsen's message of "Tue, 15 Jun 1999 16:56:49 %2B0200" References: <Pine.BSF.4.05.9906121112550.6023-100000@pigstuy.penguinpowered.com> <376669B1.F7E6A746@tellique.de>
next in thread | previous in thread | raw e-mail | index | archive | help
Juergen Nickelsen <ni@tellique.de> writes: > Spike wrote: > > Which are appropriate to block? > On my own firewall, I let pass the ICMP types > [...] Block everything except 0,3,8,11. You don't need anything else. > 0 Echo Reply [RFC792] > 3 Destination Unreachable [RFC792] You want these. > 4 Source Quench [RFC792] Source quench is so obviously abusable (and useless if your TCP/IP stack has proper congestion control, which BSD practically pioneered) that there is no sense in letting it through. > 8 Echo [RFC792] > 11 Time Exceeded [RFC792] You want these. > 12 Parameter Problem [RFC792] > 13 Timestamp [RFC792] > 14 Timestamp Reply [RFC792] > 15 Information Request [RFC792] > 16 Information Reply [RFC792] > 17 Address Mask Request [RFC950] > 18 Address Mask Reply [RFC950] None of these are useful. > 30 Traceroute [RFC1393] This is only useful if you want to use ICMP instead of UDP or TCP for traceroute. The remaining ICMP types range from 'not useful' to 'can and will be exploited by black hats to fuck up your network'. DES -- Dag-Erling Smorgrav - des@flood.ping.uio.no To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?xzpk8t5e9i3.fsf>