Tobias Weingartner wrote:
Chad M Stewart wrote:
On Apr 25, 2007, at 11:05 AM, Allen Theobald wrote:
pass in inet proto icmp all icmp-type $icmp_types keep state
This can be used as a covert communication channel. Allowing
internal IPs to send/receive ping is bad.
Bull. Not allowing ICMP is just as bad. Worse actually, as you
are violating RFCs. Quit spreading this FUD.
As very often in this world, none of these points of view is absolutely
perfect in all situations.
Regarding violation of RFCs, I found RFC 1812, which states that routers
have to implement echo replies, but one should be able to switch them off:
RFC 1812 "Requirements for IP Version 4 Routers", page 57/58:
4.3.3.6 Echo Request/Reply
A router MUST implement an ICMP Echo server function that receives
Echo Requests sent to the router, and sends corresponding Echo
Replies. A router MUST be prepared to receive, reassemble and echo
an ICMP Echo Request datagram at least as the maximum of 576 and the
MTUs of all the connected networks.
The Echo server function MAY choose not to respond to ICMP echo
requests addressed to IP broadcast or IP multicast addresses.
A router SHOULD have a configuration option that, if enabled, causes
the router to silently ignore all ICMP echo requests; if provided,
this option MUST default to allowing responses.
Andreas
