Firewall stateful handling of ICMP packets
owen at delong.com
Wed Dec 3 23:57:37 UTC 2003
Actually, any halfway decent firewall allows you to permit certain ICMP
type codes while rejecting others. Not a perfect solution, but, for the
most part, there aren't a lot of fragmentation-needed exploits running
around. (In fact, I'm hard pressed to imagine how a Frag needed packet
for an invalid session could do much of anything).
--On Wednesday, December 3, 2003 5:12 PM -0500 Sean Donelan
<sean at donelan.com> wrote:
> You could drop ICMP packets at your firewall if the firewalls properly
> implemented stateful inspection of ICMP packets. The problem is few
> firewalls include ICMP responses in their statefull analysis. So you are
> left with two bad choices, permit "all" ICMP packets or deny "all" ICMP
If it wasn't crypto-signed, it probably didn't come from me.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Size: 186 bytes
Desc: not available
More information about the NANOG