Firewall stateful handling of ICMP packets

Owen DeLong owen at delong.com
Wed Dec 3 23:57:37 UTC 2003


Actually, any halfway decent firewall allows you to permit certain ICMP
type codes while rejecting others.  Not a perfect solution, but, for the
most part, there aren't a lot of fragmentation-needed exploits running
around.  (In fact, I'm hard pressed to imagine how a Frag needed packet
for an invalid session could do much of anything).

Owen


--On Wednesday, December 3, 2003 5:12 PM -0500 Sean Donelan 
<sean at donelan.com> wrote:

>
>
> You could drop ICMP packets at your firewall if the firewalls properly
> implemented stateful inspection of ICMP packets.  The problem is few
> firewalls include ICMP responses in their statefull analysis.  So you are
> left with two bad choices, permit "all" ICMP packets or deny "all" ICMP
> packets.
>
>
>



-- 
If it wasn't crypto-signed, it probably didn't come from me.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 186 bytes
Desc: not available
URL: <http://mailman.nanog.org/pipermail/nanog/attachments/20031203/a8b84195/attachment.sig>


More information about the NANOG mailing list