On our firewall we use an automated program to permanently drop certain
intruders. This is really handy, but it requires some fine-tuning, and I
have a few questions about ICMP types.
For one internal net there is a small set of authorized external sources
from which we accept traffic. However, we accept icmp request packets only
from internal sources, but do not permanently drop external sources (to
avoid dropping authorized sources or root DNS servers, for example).
On the other hand, we accept icmp response packets from any source (assuming
they are a response to an internal request), including types 0 (echo reply),
3 (destination unreachable) and 11 (time exceeded) and a few others.
If these two rules neither accept nor drop the packet, any other external
traffic to that net is dropped and the external host permanently blocked.
The question is: Assuming I don't want to just drop all icmp packets, should
I accept types 3 and 11 as legitimate responses?
This question is prompted by a supposedly trusted external source having
been permanently blocked due to several icmp type 11 packets having
triggered the automated program. My first take was that I should allow these
as legitimate response packets. But, after further dissection, I see no
earlier outbound traffic from the internal host that might have caused the
icmp type 11 response. In fact, there was no outbound traffic from that some
of the internal hosts at all. The larger question, I guess, is whether icmp
type 11 can be used to mount some kind of attack upon our net, other than
simply sending a zillion such packets. I think perhaps the same question
applies also to icmp type 3.
Thanks...
Chuck Sterling
System/Network Administrator
NASA White Sands Test Facility
Magic is REAL, unless declared INTEGER.
================================================================================
To unsubscribe from this mailing list, please see the instructions at
http://www.checkpoint.com/services/mailing.html
================================================================================
