On Sat, May 27, 2000 at 18:18 +0200, Steffen Dettmer wrote:
* Gerhard Sittig wrote on Sat, May 27, 2000 at 11:09 +0200:
But looking at all the ICMP packet types one should at least block the redirect ones. And besides "dest unreach", "param prob", "source quench" and "time exceeded" everything else seems luxurious to pass through.
Do you know what happens to the payload of such packets? May the be used like in icmp echo request packets?
I don't know (didn't care up to now). Maybe it's time to go and fetch the appropriate RFC and have some reading ... AFAIK the ping tunnel uses the variable length payload to contain the data (which is usually just stuffed when you use the -s switch). And nobody seems to care about echo requests and replies. I'm not sure wether the above icmp packet types have room for these things or if they just get truncated right after the header.
And *if* you have to enable echo reqs and replies, you better block icmp to the network and broadcast addresses (remember smurf, tfn and the other DoSes?).
BTW: if a firewall rejects echo request (with comm adm. prohibited), ordinary ping shows normal output, but of course even if the pinged host is down.
There's always the choice between rejection and denial. :) BTW I'm aware of the fact that denied packets "reveal" there's some kind of filter in between, attracting the kids like locked doors to forbidden rooms ... But I'd rather have them run against a wall they see than letting them go as far as they want to _if_ they try and come at all.
Additionally it seems to be possible to block fragmentated ICMPs always, since usually those packets are very small, ain't? (Comments?)
Any decent firewall (or even the TCP stack) should drop corrupted and malformed packets even before the header fields are looked at and used to base decisions upon. It's mad enough that the fw rules act on behalf of data anyone untrusted delivers to you you actually try to defend against. virtually yours 82D1 9B9C 01DC 4FB4 D7B4 61BE 3F49 4F77 72DE DA76 Gerhard Sittig true | mail -s "get gpg key" Gerhard.Sittig@gmx.net -- If you don't understand or are scared by any of the above ask your parents or an adult to help you.