-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Policy decision? The most prevailing policy should be 'If you don't
need it, don't allow it'.
I usually set up three rules for ICMP. Internal to external allows
echo-requests, external to internal allows
echo-replies/timeouts/unreachables, and finally any to any deny ICMP.
Last one just in case that there is a internal to external allow any,
so that covert ICMP traffic to the outside still gets filtered.
Sometimes you may have to include an internal to internal allow ICMP
redirects, depending on your internal routing structure.
Regards,
Frank
> -----Original Message-----
> From: Dave Wreski [mailto:[EMAIL PROTECTED]]
> Sent: Friday, December 31, 1999 4:22 AM
>
> Hi all. I'd like to investigate the security implications of
> the various
> types of ICMP and whether or not to allow them thru a firewall.
>
> I understand many are based on policy decisions, but many
> (such as source
> redirect) are an obvious deny. Which ones are deprecated?
> What is the
> most secure configuration possible, yet still maintain the
> necessary services for normal network functionality?
-----BEGIN PGP SIGNATURE-----
Version: PGP Personal Privacy 6.5.1
Comment: PGP or S/MIME (X.509) encrypted email preferred.
iQA/AwUBOGz2HURKym0LjhFcEQJPDQCfdVeE4q7cYTbeRi40Y0sqUREgLrcAoPAh
zqZA9VkbORezJpBLA2MGujSP
=Wo4J
-----END PGP SIGNATURE-----
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
