Uh, to summarise, perhaps...
We'd love to block all ICMP, in both directions. We can't. I find the
simplest safe working position to be:
Inbound - all unreachables (type 3)
Outbound - packet-too-big (3/4, from memory?)
You only need to allow _outbound_ packet-too-big if you have servers behind
your filters that the outside world needs access to - web servers
especially. You'll almost always need it inbound.
The position above is not the most secure - you could prune your unreachable
subtypes further, but since none of the unreachables are useful for probing
I tend to allow the whole subtype if that would make an easier to read
configuration. If I have to enumerate then I do
host/net/too-big/admin-prohibited.
Enno mentioned dropping low TTL packets, which is cool. More (than very few)
firewalls should support this. *sigh* Sadly, firewalking can be performed on
any port, so there is no effective port blocking method to combat it. hping,
for example, lets you specify port and TTL.
Cheers,
--
Ben Nagy
Marconi Services
Network Integration Specialist
Mb: +61 414 411 520 PGP Key ID: 0x1A86E304
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
