Firewall stateful handling of ICMP packets

Owen DeLong owen at
Wed Dec 3 23:57:37 UTC 2003

Actually, any halfway decent firewall allows you to permit certain ICMP
type codes while rejecting others.  Not a perfect solution, but, for the
most part, there aren't a lot of fragmentation-needed exploits running
around.  (In fact, I'm hard pressed to imagine how a Frag needed packet
for an invalid session could do much of anything).


--On Wednesday, December 3, 2003 5:12 PM -0500 Sean Donelan 
<sean at> wrote:

> You could drop ICMP packets at your firewall if the firewalls properly
> implemented stateful inspection of ICMP packets.  The problem is few
> firewalls include ICMP responses in their statefull analysis.  So you are
> left with two bad choices, permit "all" ICMP packets or deny "all" ICMP
> packets.

If it wasn't crypto-signed, it probably didn't come from me.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 186 bytes
Desc: not available
URL: <>

More information about the NANOG mailing list