From owner-freebsd-security Tue Jun 15 9: 3:58 1999 Delivered-To: freebsd-security@freebsd.org Received: from flood.ping.uio.no (flood.ping.uio.no [129.240.78.31]) by hub.freebsd.org (Postfix) with ESMTP id E1E0A14C2D for ; Tue, 15 Jun 1999 09:03:55 -0700 (PDT) (envelope-from des@flood.ping.uio.no) Received: (from des@localhost) by flood.ping.uio.no (8.9.3/8.9.1) id SAA40154; Tue, 15 Jun 1999 18:03:48 +0200 (CEST) (envelope-from des) To: Juergen Nickelsen Cc: sporkl@ix.netcom.com, freebsd-security@FreeBSD.ORG Subject: Re: firewalls References: <376669B1.F7E6A746@tellique.de> From: Dag-Erling Smorgrav Date: 15 Jun 1999 18:03:48 +0200 In-Reply-To: Juergen Nickelsen's message of "Tue, 15 Jun 1999 16:56:49 +0200" Message-ID: Lines: 45 X-Mailer: Gnus v5.5/Emacs 19.34 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Juergen Nickelsen writes: > Spike wrote: > > Which are appropriate to block? > On my own firewall, I let pass the ICMP types > [...] Block everything except 0,3,8,11. You don't need anything else. > 0 Echo Reply [RFC792] > 3 Destination Unreachable [RFC792] You want these. > 4 Source Quench [RFC792] Source quench is so obviously abusable (and useless if your TCP/IP stack has proper congestion control, which BSD practically pioneered) that there is no sense in letting it through. > 8 Echo [RFC792] > 11 Time Exceeded [RFC792] You want these. > 12 Parameter Problem [RFC792] > 13 Timestamp [RFC792] > 14 Timestamp Reply [RFC792] > 15 Information Request [RFC792] > 16 Information Reply [RFC792] > 17 Address Mask Request [RFC950] > 18 Address Mask Reply [RFC950] None of these are useful. > 30 Traceroute [RFC1393] This is only useful if you want to use ICMP instead of UDP or TCP for traceroute. The remaining ICMP types range from 'not useful' to 'can and will be exploited by black hats to fuck up your network'. DES -- Dag-Erling Smorgrav - des@flood.ping.uio.no To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message