Timothy... On Tue, Jan 18, 2005 at 09:54:14PM +0100, Timothy Earl wrote: > I am having a little trouble understanding the differences between > Firewall / Proxy activity on internal / external nets. For example I > read recently out of a book I am going through, that one should > reconsider blocking all ICMP traffic for reasons related to > fragmentation.
I here limit what kind of ICMP messages are allowed (mostly echo-request/echo-reply). But basically I see no reason to block the ICMP protocol. It's true though that some attackers intentionally fragment their packets in hope to circumvent simple network security applications that don't reassemble the traffic. But usually network security applications like e.g. "snort" or content filtering firewalls first reassemble the data stream before doing checks on it. So no need to block them IMHO. Your doubts about MTUs are valid. Blocking IP fragments can cause problems of different kinds. Perhaps you use NFS over UDP (default) or a VPN tunnel or even ISPs with different line technologies. All this can cause IP fragments that you will definitely want to allow. Before blindly blocking fragments I recomment you watch your interface for a while whether you see fragments of production traffic. > My second question is which ICMP types should be allowed in to the > external interface if any? Any. ;) Cheers Christoph -- ~ ~ ".signature" [Modified] 3 lines --100%-- 3,41 All -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
