Ok to let all ICMP traffic through firewall?

My question is Should a firewall let all ICMP traffic through because
there is no real risk if they do?

+++++

Here is the thinking behind my question: Robin Walker's cable modem
webpages at

look to me as if they are technically sound. But they are a few
years old. I would like to know what people think about the advice
he gives about ICMP traffic and if it is still true these days.

He suggests that firewalls should let all ICMP traffic through and
that there is no real risk if they do that. At
http://snipurl.com/hvox he writes the following section. I have cut
it down a bit.


------------------- START QUOTE -----------------

STEALTH-MODE FIREWALLS CONSIDERED HARMFUL

Some firewalls have a hiding mechanism they call stealth. ... In
stealth mode, the firewall causes the PC just to ignore incoming
connection attempts, rather than rejecting them, as would be normal
for incoming connection attempts to closed ports.

.... causes some difficulties. For a start, Internet standard RFC 1122
states categorically about ICMP Echoes (ping):

"3.2.2.6 Echo Request/Reply: RFC-792. Every
host MUST implement an ICMP Echo server function
that receives Echo Requests and sends
corresponding Echo Replies."

So you are strongly advised not to apply stealth techniques to the
ICMP protocol.

A commonly heard objection to allowing ICMP Echo Replies is that it
gives away information to hackers that there is a live connection on
this IP address. Such objections are not well-founded, and can be
safely ignored.

There is no evidence in practice that any hacker has been aided by
the presence of an ICMP Echo Reply.

Hackers do not typically write code that tests an address with ICMP
Echo before launching a hostile probe: they always send the hostile
probe directly: either it works or it doesn't, and information from
ICMP adds nothing to the analysis.

------------------- END QUOTE -----------------

So Should a firewall let all ICMP traffic through? Is it ok to do
that?

Re: Ok to let all ICMP traffic through firewall?

Post removed (X-No-Archive: yes)

Re: Ok to let all ICMP traffic through firewall?

Post removed (X-No-Archive: yes)

Re: Ok to let all ICMP traffic through firewall?

On Thu, 22 Sep 2005 22:19:07 UTC, Leythos wrote:

> In article <96D9EC61DFA1E71F3M4@66.250.146.159>, no_thanks@mail.com
> says...
> > My question is Should a firewall let all ICMP traffic through because
> > there is no real risk if they do?
>
> The common sense rule is to LET NOTHING IN that doesn't have a good
> reason to be let in.

In practice, you need to let a few ICMP messages through, then. For
example, source quench and destination unreachable.

--
[ 7'ism - a condition by which the sufferer experiences an inability
to give concise answers, express reasoned argument or opinion.
Usually accompanied by silly noises and gestures - incurable, early
euthanasia recommended. ]

Re: Ok to let all ICMP traffic through firewall?

On Thu, 22 Sep 2005 22:19:07 UTC, Leythos wrote:

> In article <96D9EC61DFA1E71F3M4@66.250.146.159>, no_thanks@mail.com
> says...
> > My question is Should a firewall let all ICMP traffic through because
> > there is no real risk if they do?
>
> The common sense rule is to LET NOTHING IN that doesn't have a good
> reason to be let in.

In practice, you need to let a few ICMP messages through, then. For
example, source quench and destination unreachable.

--
[ 7'ism - a condition by which the sufferer experiences an inability
to give concise answers, express reasoned argument or opinion.
Usually accompanied by silly noises and gestures - incurable, early
euthanasia recommended. ]

Re: Ok to let all ICMP traffic through firewall?

Franklin wrote:
> My question is Should a firewall let all ICMP traffic through
> because there is no real risk if they do?

No, because some ICMP messages aren't useful. However blocking all
ICMP is throwing the baby out with the bathwater and will cause more
bother than not blocking anything.

I would suggest allowing ICMP Echo and Echo Reply (so ping works),
Destination Unreachable (which includes "fragmentation required",
essential for PMTUD to work) and Time Exceeded (so traceroute works.)
Everything else looks to be fair game to drop.

While I'm suggesting firewall rules, can people also not silently drop
SYNs to port 113 please? All sorts of servers try RFC1413 lookups and
stall while waiting for a response. The firewall user is usually the
first to complain that it's taking ages to connect to a certain remote
server.

--
PGP key ID E85DC776 - finger abuse@mooli.org.uk for full key
/:.*posting.google.com.*/HX-Trace:+j

Re: Ok to let all ICMP traffic through firewall?

Franklin wrote:
> My question is Should a firewall let all ICMP traffic through
> because there is no real risk if they do?

No, because some ICMP messages aren't useful. However blocking all
ICMP is throwing the baby out with the bathwater and will cause more
bother than not blocking anything.

I would suggest allowing ICMP Echo and Echo Reply (so ping works),
Destination Unreachable (which includes "fragmentation required",
essential for PMTUD to work) and Time Exceeded (so traceroute works.)
Everything else looks to be fair game to drop.

While I'm suggesting firewall rules, can people also not silently drop
SYNs to port 113 please? All sorts of servers try RFC1413 lookups and
stall while waiting for a response. The firewall user is usually the
first to complain that it's taking ages to connect to a certain remote
server.

--
PGP key ID E85DC776 - finger abuse@mooli.org.uk for full key
/:.*posting.google.com.*/HX-Trace:+j

Re: Ok to let all ICMP traffic through firewall?

In article <176uZD2KcidF-pn2-dTdiDpVF9eQ2@rikki.tavi.co.uk>,
Bob Eager wrote:
:In practice, you need to let a few ICMP messages through, then. For
:example, source quench and destination unreachable.

In practice, crackers will send you unsolicited source quenches,
either as a side effect of them DoS'ing the host with forged packets,
or else with the hope of DoS'ing you by interfering with your flow
of traffic to other locations.

In practice, you don't need to listen to source quench. If you
are sending data too quickly for a router, the router will drop
some of the traffic. If the traffic was TCP then the normal TCP
recovery mechanisms will kick in and will act to slow down your
rate of transmission. If the traffic was UDP or anything other
"unreliable" protocol, then by definition the transmissions are
expected to be unreliable so dropping the traffic should not be
important. [If it -was- important, then you shouldn't be using an
unreliable transmission protocol.]
--
Goedel's Mail Filter Incompleteness Theorem:
In any sufficiently expressive language, with any fixed set of
email filtering algorithms, there exists at least one spam message
which the algorithms are unable to filter out.

Re: Ok to let all ICMP traffic through firewall?

In article <176uZD2KcidF-pn2-dTdiDpVF9eQ2@rikki.tavi.co.uk>,
Bob Eager wrote:
:In practice, you need to let a few ICMP messages through, then. For
:example, source quench and destination unreachable.

In practice, crackers will send you unsolicited source quenches,
either as a side effect of them DoS'ing the host with forged packets,
or else with the hope of DoS'ing you by interfering with your flow
of traffic to other locations.

In practice, you don't need to listen to source quench. If you
are sending data too quickly for a router, the router will drop
some of the traffic. If the traffic was TCP then the normal TCP
recovery mechanisms will kick in and will act to slow down your
rate of transmission. If the traffic was UDP or anything other
"unreliable" protocol, then by definition the transmissions are
expected to be unreliable so dropping the traffic should not be
important. [If it -was- important, then you shouldn't be using an
unreliable transmission protocol.]
--
Goedel's Mail Filter Incompleteness Theorem:
In any sufficiently expressive language, with any fixed set of
email filtering algorithms, there exists at least one spam message
which the algorithms are unable to filter out.

Re: Ok to let all ICMP traffic through firewall?

Franklin wrote:

> My question is Should a firewall let all ICMP traffic through because
> there is no real risk if they do?
> [...]
> ------------------- START QUOTE -----------------
>
> STEALTH-MODE FIREWALLS CONSIDERED HARMFUL
> [...]
> So Should a firewall let all ICMP traffic through?

No.

> Is it ok to do that?

No. While the example you quoted from the web page is still correct and
there is nothing wrong with echo request and echo reply and the various
destination unreachable messages the are other icmp messages that should be
filted.

http://seclists.org/lists/bugtraq/2005/May/0122.html

Wolfgang

Re: Ok to let all ICMP traffic through firewall?

Franklin wrote:

> My question is Should a firewall let all ICMP traffic through because
> there is no real risk if they do?
> [...]
> ------------------- START QUOTE -----------------
>
> STEALTH-MODE FIREWALLS CONSIDERED HARMFUL
> [...]
> So Should a firewall let all ICMP traffic through?

No.

> Is it ok to do that?

No. While the example you quoted from the web page is still correct and
there is nothing wrong with echo request and echo reply and the various
destination unreachable messages the are other icmp messages that should be
filted.

http://seclists.org/lists/bugtraq/2005/May/0122.html

Wolfgang

Re: Ok to let all ICMP traffic through firewall?

In article <433331d9$0$32652$da0feed9@news.zen.co.uk>,
Peter wrote:
:However blocking all
:ICMP is throwing the baby out with the bathwater and will cause more
:bother than not blocking anything.

"more bother" depends on whether you are being deliberately attacked
or not.


:I would suggest allowing ICMP Echo and Echo Reply (so ping works),

Typically, outsiders have no business mapping out exactly which
of your systems exist or are up right now, so dropping most incoming icmp
echo is a common security precaution. Whether to allow icmp echo
to public-facing servers varies with circumstance.

--
If you like, you can repeat the search with the omitted results included.

Re: Ok to let all ICMP traffic through firewall?

In article <433331d9$0$32652$da0feed9@news.zen.co.uk>,
Peter wrote:
:However blocking all
:ICMP is throwing the baby out with the bathwater and will cause more
:bother than not blocking anything.

"more bother" depends on whether you are being deliberately attacked
or not.


:I would suggest allowing ICMP Echo and Echo Reply (so ping works),

Typically, outsiders have no business mapping out exactly which
of your systems exist or are up right now, so dropping most incoming icmp
echo is a common security precaution. Whether to allow icmp echo
to public-facing servers varies with circumstance.

--
If you like, you can repeat the search with the omitted results included.

Re: Ok to let all ICMP traffic through firewall?

Post removed (X-No-Archive: yes)

Re: Ok to let all ICMP traffic through firewall?

Post removed (X-No-Archive: yes)

Re: Ok to let all ICMP traffic through firewall?

Post removed (X-No-Archive: yes)

Re: Ok to let all ICMP traffic through firewall?

Post removed (X-No-Archive: yes)

Re: Ok to let all ICMP traffic through firewall?

"Leythos" wrote in message
news:MPG.1d9d059680e4dd98a0fd@news-server.columbus.rr.com...
> In article <433331d9$0$32652$da0feed9@news.zen.co.uk>,
> abuse@dopiaza.cabal.org.uk says...
> > Franklin wrote:
> > > My question is Should a firewall let all ICMP traffic through
> > > because there is no real risk if they do?



> You don't
> need to allow PING, in fact why the heck would you want to allow PING,
> it's not like it's a valid test that your network is alive - we've got
> tons of commercial networks that block PING and none of the users even
> notice.

Undoubtedly the case. Although one could quote lots of instances where it's
been damned useful.

Well, *I* certainly can - usually when the web server has had a bit of a
funny turn, and one needs to tell if it's the server behind the firewall
(fat chance of fixing something from an adjacent continent), or whether it's
the ISP playing silly buggers with the connection (marginally more hope of
getting something sorted).

As goes firewalls - I'm sure that most have already seen it, but:
http://www.dilbert.com/comics/dilbert/archive/images/dilbert 2813960050912.gif

--

Hairy One Kenobi

Disclaimer: the opinions expressed in this opinion do not necessarily
reflect the opinions of the highly-opinionated person expressing the opinion
in the first place. So there!

Re: Ok to let all ICMP traffic through firewall?

"Leythos" wrote in message
news:MPG.1d9d059680e4dd98a0fd@news-server.columbus.rr.com...
> In article <433331d9$0$32652$da0feed9@news.zen.co.uk>,
> abuse@dopiaza.cabal.org.uk says...
> > Franklin wrote:
> > > My question is Should a firewall let all ICMP traffic through
> > > because there is no real risk if they do?



> You don't
> need to allow PING, in fact why the heck would you want to allow PING,
> it's not like it's a valid test that your network is alive - we've got
> tons of commercial networks that block PING and none of the users even
> notice.

Undoubtedly the case. Although one could quote lots of instances where it's
been damned useful.

Well, *I* certainly can - usually when the web server has had a bit of a
funny turn, and one needs to tell if it's the server behind the firewall
(fat chance of fixing something from an adjacent continent), or whether it's
the ISP playing silly buggers with the connection (marginally more hope of
getting something sorted).

As goes firewalls - I'm sure that most have already seen it, but:
http://www.dilbert.com/comics/dilbert/archive/images/dilbert 2813960050912.gif

--

Hairy One Kenobi

Disclaimer: the opinions expressed in this opinion do not necessarily
reflect the opinions of the highly-opinionated person expressing the opinion
in the first place. So there!

Re: Ok to let all ICMP traffic through firewall?

Post removed (X-No-Archive: yes)

Re: Ok to let all ICMP traffic through firewall?

Post removed (X-No-Archive: yes)

Re: Ok to let all ICMP traffic through firewall?

On Thu, 22 Sep 2005 23:13:55 UTC, Leythos wrote:

> > In practice, you need to let a few ICMP messages through, then. For
> > example, source quench and destination unreachable.
>
> Wrong, you don't NEED to allow anything. You may FEEL that you do, but
> we've got almost 100 networks that don't allow ICMP or anything else
> inbound and they work just fine, and we'll not change them.

You're wrong. But that's fine. You just carry on.

--
[ 7'ism - a condition by which the sufferer experiences an inability
to give concise answers, express reasoned argument or opinion.
Usually accompanied by silly noises and gestures - incurable, early
euthanasia recommended. ]

Re: Ok to let all ICMP traffic through firewall?

On Thu, 22 Sep 2005 23:13:55 UTC, Leythos wrote:

> > In practice, you need to let a few ICMP messages through, then. For
> > example, source quench and destination unreachable.
>
> Wrong, you don't NEED to allow anything. You may FEEL that you do, but
> we've got almost 100 networks that don't allow ICMP or anything else
> inbound and they work just fine, and we'll not change them.

You're wrong. But that's fine. You just carry on.

--
[ 7'ism - a condition by which the sufferer experiences an inability
to give concise answers, express reasoned argument or opinion.
Usually accompanied by silly noises and gestures - incurable, early
euthanasia recommended. ]

Re: Ok to let all ICMP traffic through firewall?

Post removed (X-No-Archive: yes)

Re: Ok to let all ICMP traffic through firewall?

Post removed (X-No-Archive: yes)

Re: Ok to let all ICMP traffic through firewall?

Franklin wrote:

> My question is Should a firewall let all ICMP traffic through because
> there is no real risk if they do?
>
> +++++
>
> Here is the thinking behind my question: Robin Walker's cable modem
> webpages at
>
> look to me as if they are technically sound. But they are a few
> years old. I would like to know what people think about the advice
> he gives about ICMP traffic and if it is still true these days.
>
> He suggests that firewalls should let all ICMP traffic through and
> that there is no real risk if they do that. At
> http://snipurl.com/hvox he writes the following section. I have cut
> it down a bit.
>
>
> ------------------- START QUOTE -----------------
>
> STEALTH-MODE FIREWALLS CONSIDERED HARMFUL
>
> Some firewalls have a hiding mechanism they call stealth. ... In
> stealth mode, the firewall causes the PC just to ignore incoming
> connection attempts, rather than rejecting them, as would be normal
> for incoming connection attempts to closed ports.
>
> ... causes some difficulties. For a start, Internet standard RFC 1122
> states categorically about ICMP Echoes (ping):
>
> "3.2.2.6 Echo Request/Reply: RFC-792. Every
> host MUST implement an ICMP Echo server function
> that receives Echo Requests and sends
> corresponding Echo Replies."
>
> So you are strongly advised not to apply stealth techniques to the
> ICMP protocol.
>
> A commonly heard objection to allowing ICMP Echo Replies is that it
> gives away information to hackers that there is a live connection on
> this IP address. Such objections are not well-founded, and can be
> safely ignored.
>
> There is no evidence in practice that any hacker has been aided by
> the presence of an ICMP Echo Reply.
>
> Hackers do not typically write code that tests an address with ICMP
> Echo before launching a hostile probe: they always send the hostile
> probe directly: either it works or it doesn't, and information from
> ICMP adds nothing to the analysis.
>
> ------------------- END QUOTE -----------------
>
> So Should a firewall let all ICMP traffic through? Is it ok to do
> that?

Some ICMPs are needed for proper TCP/UDP/IP functionality. I typically allow
icmp source quench and destination not reachables through and block
everything else (incoming)....

Imhotep

Re: Ok to let all ICMP traffic through firewall?

Franklin wrote:

> My question is Should a firewall let all ICMP traffic through because
> there is no real risk if they do?
>
> +++++
>
> Here is the thinking behind my question: Robin Walker's cable modem
> webpages at
>
> look to me as if they are technically sound. But they are a few
> years old. I would like to know what people think about the advice
> he gives about ICMP traffic and if it is still true these days.
>
> He suggests that firewalls should let all ICMP traffic through and
> that there is no real risk if they do that. At
> http://snipurl.com/hvox he writes the following section. I have cut
> it down a bit.
>
>
> ------------------- START QUOTE -----------------
>
> STEALTH-MODE FIREWALLS CONSIDERED HARMFUL
>
> Some firewalls have a hiding mechanism they call stealth. ... In
> stealth mode, the firewall causes the PC just to ignore incoming
> connection attempts, rather than rejecting them, as would be normal
> for incoming connection attempts to closed ports.
>
> ... causes some difficulties. For a start, Internet standard RFC 1122
> states categorically about ICMP Echoes (ping):
>
> "3.2.2.6 Echo Request/Reply: RFC-792. Every
> host MUST implement an ICMP Echo server function
> that receives Echo Requests and sends
> corresponding Echo Replies."
>
> So you are strongly advised not to apply stealth techniques to the
> ICMP protocol.
>
> A commonly heard objection to allowing ICMP Echo Replies is that it
> gives away information to hackers that there is a live connection on
> this IP address. Such objections are not well-founded, and can be
> safely ignored.
>
> There is no evidence in practice that any hacker has been aided by
> the presence of an ICMP Echo Reply.
>
> Hackers do not typically write code that tests an address with ICMP
> Echo before launching a hostile probe: they always send the hostile
> probe directly: either it works or it doesn't, and information from
> ICMP adds nothing to the analysis.
>
> ------------------- END QUOTE -----------------
>
> So Should a firewall let all ICMP traffic through? Is it ok to do
> that?

Some ICMPs are needed for proper TCP/UDP/IP functionality. I typically allow
icmp source quench and destination not reachables through and block
everything else (incoming)....

Imhotep

Re: Ok to let all ICMP traffic through firewall?

Franklin wrote:
> My question is Should a firewall let all ICMP traffic through because
> there is no real risk if they do?
>
> +++++
>
> Here is the thinking behind my question: Robin Walker's cable modem
> webpages at
>
> look to me as if they are technically sound. But they are a few
> years old. I would like to know what people think about the advice
> he gives about ICMP traffic and if it is still true these days.
>


>
> STEALTH-MODE FIREWALLS CONSIDERED HARMFUL
>
> Some firewalls have a hiding mechanism they call stealth. ... In

seems there's a debate. But I can't see Robin Walker's arguments being
addressed by those that say block ICMP.

it is my understanding that stealthing ports has absolutely nothing to
do with ICMP. So they are different issues.

A computer has a port stealthed if the port doesn't respond to say
whether it's open or closed. Online scanners that say 'stealth' are
really saying "could not determine" since perhaps the port is open but
the packet got lost! So some online port scanners can be be
misleading.
These is all TCP segments we're dealing with. They are a load of fields
deep with within the Frame's contents.

A computer that blocks ICMP is a different kettle of fish. These are
frames carrying ICMP packets and have no TCP segments anywhere in them
or deep in them at all. Blocking ICMP packets breaks the ICMP
protocol. Whereas Stealthing ports breaks the TCP protocol. I think
both go against the RFCs which require correct implementation of ICMP
and TCP.

A computer of course may stealth ports and block ICMP. But they're not
related. The only similarity is that both are bad practice since they
go against RFCs, and it does not make you safer from attack. (Does it
really matter if somebody can ping you or not?!!!) IT's that argument
again. That if an attacker is put off by the fact that he can't ping
you, then he isn't much to worry about, and he will can easily be put
off by other proper stronger security measures. Like, not having open
ports unless necessary, and if they must be open, then use a firewall
to restrict access to the correct individuals, and apply patches to the
daemons(services/servers) to avoid exploits.

In principle, you don't really want to go around breaking protocols and
going against RFCs, and you dont' gain much from doing it. If you just
say "bset not to allow somethign in if you don't know what it is" it
reminds me of a middle aged woman in a school using a computer who
doesn't want to move an icon, and whose main phrase is "put it back to
how it was before". If you nkow what an icon does then you would know
there's no harm in moving it a fraction to the left or to the right.

Similarly, the people that wrote the RFCs are clever people, and
there's a huge number of technical people in the know, and none of them
have indicated any danger from allowing ICMP packets (or if they have,
then nobody has given their argument in this thread!). The protocol has
been around for donkeys' years, and nobody has sounded off any alarms
about it. So there's no need to start breaking protocols and going
against RFCs. It all looks like a lot of FUD to me.


I only learnt about this recently so I may be wrong, fortunately this
is a public forum, where people correct each others' mistakes!

Re: Ok to let all ICMP traffic through firewall?

Franklin wrote:
> My question is Should a firewall let all ICMP traffic through because
> there is no real risk if they do?
>
> +++++
>
> Here is the thinking behind my question: Robin Walker's cable modem
> webpages at
>
> look to me as if they are technically sound. But they are a few
> years old. I would like to know what people think about the advice
> he gives about ICMP traffic and if it is still true these days.
>


>
> STEALTH-MODE FIREWALLS CONSIDERED HARMFUL
>
> Some firewalls have a hiding mechanism they call stealth. ... In

seems there's a debate. But I can't see Robin Walker's arguments being
addressed by those that say block ICMP.

it is my understanding that stealthing ports has absolutely nothing to
do with ICMP. So they are different issues.

A computer has a port stealthed if the port doesn't respond to say
whether it's open or closed. Online scanners that say 'stealth' are
really saying "could not determine" since perhaps the port is open but
the packet got lost! So some online port scanners can be be
misleading.
These is all TCP segments we're dealing with. They are a load of fields
deep with within the Frame's contents.

A computer that blocks ICMP is a different kettle of fish. These are
frames carrying ICMP packets and have no TCP segments anywhere in them
or deep in them at all. Blocking ICMP packets breaks the ICMP
protocol. Whereas Stealthing ports breaks the TCP protocol. I think
both go against the RFCs which require correct implementation of ICMP
and TCP.

A computer of course may stealth ports and block ICMP. But they're not
related. The only similarity is that both are bad practice since they
go against RFCs, and it does not make you safer from attack. (Does it
really matter if somebody can ping you or not?!!!) IT's that argument
again. That if an attacker is put off by the fact that he can't ping
you, then he isn't much to worry about, and he will can easily be put
off by other proper stronger security measures. Like, not having open
ports unless necessary, and if they must be open, then use a firewall
to restrict access to the correct individuals, and apply patches to the
daemons(services/servers) to avoid exploits.

In principle, you don't really want to go around breaking protocols and
going against RFCs, and you dont' gain much from doing it. If you just
say "bset not to allow somethign in if you don't know what it is" it
reminds me of a middle aged woman in a school using a computer who
doesn't want to move an icon, and whose main phrase is "put it back to
how it was before". If you nkow what an icon does then you would know
there's no harm in moving it a fraction to the left or to the right.

Similarly, the people that wrote the RFCs are clever people, and
there's a huge number of technical people in the know, and none of them
have indicated any danger from allowing ICMP packets (or if they have,
then nobody has given their argument in this thread!). The protocol has
been around for donkeys' years, and nobody has sounded off any alarms
about it. So there's no need to start breaking protocols and going
against RFCs. It all looks like a lot of FUD to me.


I only learnt about this recently so I may be wrong, fortunately this
is a public forum, where people correct each others' mistakes!

Re: Ok to let all ICMP traffic through firewall?

Leythos wrote:
> In article <176uZD2KcidF-pn2-yKJP7XquDBiB@rikki.tavi.co.uk>, rde42
> @spamcop.net says...
> > On Thu, 22 Sep 2005 23:13:55 UTC, Leythos wrote:
> >
> > > > In practice, you need to let a few ICMP messages through, then. For
> > > > example, source quench and destination unreachable.
> > >
> > > Wrong, you don't NEED to allow anything. You may FEEL that you do, but
> > > we've got almost 100 networks that don't allow ICMP or anything else
> > > inbound and they work just fine, and we'll not change them.
> >
> > You're wrong. But that's fine. You just carry on.
>
> Then, when we're running along for the last few years, blocking all ICMP
> inbound and at the firewall, what are we denying ourselves?
>
> It seems that our networks work, that we can VPN into the office just
> fine, etc...
>
> It seems that all of our dedicated IPSec tunnels to partners work fine,
> it seems that our systems with web servers, OWA services, etc.. all work
> just fine.....
>
> --

and they'd still work fine if you allowed ICMPs. If allowing ICMPs
were dangerous then alarms would've been sent off long ago. ICMP has
been aroudn for ages, there are no new developments to the ICMP
protocol. People that know all about how it works also know of no
alarms saying it can be attacked. People that know ICMP presumably
allow it because they know it's as dangerous as moving an icon slightly
(which might be very scary for a middle aged woman). (though against
me, perhaps an OS may rewrite teh part that repsonds to ICMP and there
might be an exploit in their code, but similarly there may be an
exploit in their code that is rejecting ICMP)

As that article argued, besides breaking RFCs and breaking the
protocols,

Besides all those arguments in the article and the technical problems
with not responding to ICMP (just because your setup doesn't include
situations where you'll run into the problems, does not mean the
problems do not exist).

Suppose you want to know if a computer is online. A safe way is to ping
it. you don't want to set up a service running on the computer and
conect to it. ping tests that other comps can communicate with the
comp. it's a necessary diagnostic test. What's the alternative?
user makes an outgoing connection? suppose he can't for some reason.
you want to know if he is online

ping is a very convenient diagnostic tool.

Re: Ok to let all ICMP traffic through firewall?

Leythos wrote:
> In article <176uZD2KcidF-pn2-yKJP7XquDBiB@rikki.tavi.co.uk>, rde42
> @spamcop.net says...
> > On Thu, 22 Sep 2005 23:13:55 UTC, Leythos wrote:
> >
> > > > In practice, you need to let a few ICMP messages through, then. For
> > > > example, source quench and destination unreachable.
> > >
> > > Wrong, you don't NEED to allow anything. You may FEEL that you do, but
> > > we've got almost 100 networks that don't allow ICMP or anything else
> > > inbound and they work just fine, and we'll not change them.
> >
> > You're wrong. But that's fine. You just carry on.
>
> Then, when we're running along for the last few years, blocking all ICMP
> inbound and at the firewall, what are we denying ourselves?
>
> It seems that our networks work, that we can VPN into the office just
> fine, etc...
>
> It seems that all of our dedicated IPSec tunnels to partners work fine,
> it seems that our systems with web servers, OWA services, etc.. all work
> just fine.....
>
> --

and they'd still work fine if you allowed ICMPs. If allowing ICMPs
were dangerous then alarms would've been sent off long ago. ICMP has
been aroudn for ages, there are no new developments to the ICMP
protocol. People that know all about how it works also know of no
alarms saying it can be attacked. People that know ICMP presumably
allow it because they know it's as dangerous as moving an icon slightly
(which might be very scary for a middle aged woman). (though against
me, perhaps an OS may rewrite teh part that repsonds to ICMP and there
might be an exploit in their code, but similarly there may be an
exploit in their code that is rejecting ICMP)

As that article argued, besides breaking RFCs and breaking the
protocols,

Besides all those arguments in the article and the technical problems
with not responding to ICMP (just because your setup doesn't include
situations where you'll run into the problems, does not mean the
problems do not exist).

Suppose you want to know if a computer is online. A safe way is to ping
it. you don't want to set up a service running on the computer and
conect to it. ping tests that other comps can communicate with the
comp. it's a necessary diagnostic test. What's the alternative?
user makes an outgoing connection? suppose he can't for some reason.
you want to know if he is online

ping is a very convenient diagnostic tool.

Re: Ok to let all ICMP traffic through firewall?

wrote in message
news:1127439270.085843.66150@z14g2000cwz.googlegroups.com...
> and they'd still work fine if you allowed ICMPs. If allowing ICMPs
> were dangerous then alarms would've been sent off long ago. ICMP has
> been aroudn for ages, there are no new developments to the ICMP
> protocol. People that know all about how it works also know of no
> alarms saying it can be attacked. People that know ICMP presumably
> allow it because they know it's as dangerous as moving an icon slightly
> (which might be very scary for a middle aged woman). (though against
> me, perhaps an OS may rewrite teh part that repsonds to ICMP and there
> might be an exploit in their code, but similarly there may be an
> exploit in their code that is rejecting ICMP)
>
> As that article argued, besides breaking RFCs and breaking the
> protocols,
>
> Besides all those arguments in the article and the technical problems
> with not responding to ICMP (just because your setup doesn't include
> situations where you'll run into the problems, does not mean the
> problems do not exist).
>
> Suppose you want to know if a computer is online. A safe way is to ping
> it. you don't want to set up a service running on the computer and
> conect to it. ping tests that other comps can communicate with the
> comp. it's a necessary diagnostic test. What's the alternative?
> user makes an outgoing connection? suppose he can't for some reason.
> you want to know if he is online
>
> ping is a very convenient diagnostic tool.
>

Yes it is, ever heard of PING NMAP?

Google it and security and firewalls.

Re: Ok to let all ICMP traffic through firewall?

wrote in message
news:1127439270.085843.66150@z14g2000cwz.googlegroups.com...
> and they'd still work fine if you allowed ICMPs. If allowing ICMPs
> were dangerous then alarms would've been sent off long ago. ICMP has
> been aroudn for ages, there are no new developments to the ICMP
> protocol. People that know all about how it works also know of no
> alarms saying it can be attacked. People that know ICMP presumably
> allow it because they know it's as dangerous as moving an icon slightly
> (which might be very scary for a middle aged woman). (though against
> me, perhaps an OS may rewrite teh part that repsonds to ICMP and there
> might be an exploit in their code, but similarly there may be an
> exploit in their code that is rejecting ICMP)
>
> As that article argued, besides breaking RFCs and breaking the
> protocols,
>
> Besides all those arguments in the article and the technical problems
> with not responding to ICMP (just because your setup doesn't include
> situations where you'll run into the problems, does not mean the
> problems do not exist).
>
> Suppose you want to know if a computer is online. A safe way is to ping
> it. you don't want to set up a service running on the computer and
> conect to it. ping tests that other comps can communicate with the
> comp. it's a necessary diagnostic test. What's the alternative?
> user makes an outgoing connection? suppose he can't for some reason.
> you want to know if he is online
>
> ping is a very convenient diagnostic tool.
>

Yes it is, ever heard of PING NMAP?

Google it and security and firewalls.

Re: Ok to let all ICMP traffic through firewall?

Leythos wrote:

> In article <433331d9$0$32652$da0feed9@news.zen.co.uk>,
> abuse@dopiaza.cabal.org.uk says...
>> Franklin wrote:
>> > My question is Should a firewall let all ICMP traffic through
>> > because there is no real risk if they do?
>>
>> No, because some ICMP messages aren't useful. However blocking all
>> ICMP is throwing the baby out with the bathwater and will cause more
>> bother than not blocking anything.
>>
>> I would suggest allowing ICMP Echo and Echo Reply (so ping works),
>> Destination Unreachable (which includes "fragmentation required",
>> essential for PMTUD to work) and Time Exceeded (so traceroute works.)
>> Everything else looks to be fair game to drop.
>>
>> While I'm suggesting firewall rules, can people also not silently drop
>> SYNs to port 113 please? All sorts of servers try RFC1413 lookups and
>> stall while waiting for a response. The firewall user is usually the
>> first to complain that it's taking ages to connect to a certain remote
>> server.
>
> There is NO BOTHER - you set the rules and then let them work. You don't
> need to allow PING, in fact why the heck would you want to allow PING,
> it's not like it's a valid test that your network is alive - we've got
> tons of commercial networks that block PING and none of the users even
> notice.
>
> Allowing anything inbound, even to the firewall, that doesn't
> specifically need to be let in is a bad move.
>
> Allowing in minimal traffic that "might" not be a threat is like
> trusting Windows Firewall with File/Printer sharing enabled on a
> computer directly connected to the Internet with all of your financial
> data stored on it in a text file that is name "ALL MY FINANCIAL
> DATA.TXT" sitting in the root.
>

LOL...

Imhotep

Re: Ok to let all ICMP traffic through firewall?

Leythos wrote:

> In article <433331d9$0$32652$da0feed9@news.zen.co.uk>,
> abuse@dopiaza.cabal.org.uk says...
>> Franklin wrote:
>> > My question is Should a firewall let all ICMP traffic through
>> > because there is no real risk if they do?
>>
>> No, because some ICMP messages aren't useful. However blocking all
>> ICMP is throwing the baby out with the bathwater and will cause more
>> bother than not blocking anything.
>>
>> I would suggest allowing ICMP Echo and Echo Reply (so ping works),
>> Destination Unreachable (which includes "fragmentation required",
>> essential for PMTUD to work) and Time Exceeded (so traceroute works.)
>> Everything else looks to be fair game to drop.
>>
>> While I'm suggesting firewall rules, can people also not silently drop
>> SYNs to port 113 please? All sorts of servers try RFC1413 lookups and
>> stall while waiting for a response. The firewall user is usually the
>> first to complain that it's taking ages to connect to a certain remote
>> server.
>
> There is NO BOTHER - you set the rules and then let them work. You don't
> need to allow PING, in fact why the heck would you want to allow PING,
> it's not like it's a valid test that your network is alive - we've got
> tons of commercial networks that block PING and none of the users even
> notice.
>
> Allowing anything inbound, even to the firewall, that doesn't
> specifically need to be let in is a bad move.
>
> Allowing in minimal traffic that "might" not be a threat is like
> trusting Windows Firewall with File/Printer sharing enabled on a
> computer directly connected to the Internet with all of your financial
> data stored on it in a text file that is name "ALL MY FINANCIAL
> DATA.TXT" sitting in the root.
>

LOL...

Imhotep

Re: Ok to let all ICMP traffic through firewall?

Leythos wrote:

> In article <176uZD2KcidF-pn2-yKJP7XquDBiB@rikki.tavi.co.uk>, rde42
> @spamcop.net says...
>> On Thu, 22 Sep 2005 23:13:55 UTC, Leythos wrote:
>>
>> > > In practice, you need to let a few ICMP messages through, then. For
>> > > example, source quench and destination unreachable.
>> >
>> > Wrong, you don't NEED to allow anything. You may FEEL that you do, but
>> > we've got almost 100 networks that don't allow ICMP or anything else
>> > inbound and they work just fine, and we'll not change them.
>>
>> You're wrong. But that's fine. You just carry on.
>
> Then, when we're running along for the last few years, blocking all ICMP
> inbound and at the firewall, what are we denying ourselves?
>
> It seems that our networks work, that we can VPN into the office just
> fine, etc...
>
> It seems that all of our dedicated IPSec tunnels to partners work fine,
> it seems that our systems with web servers, OWA services, etc.. all work
> just fine.....
>

Honestly, you CAN block all ICMP types, however, it is not optimal. Some
ICMPS are in fact needed for normal TCP/UDP/IP operations (well, efficient
anyway)....ie without flow control, it will appear that things are
"hanging" equating to those nasty users saying the "network is slow"...when
in fact the host has not been informed to slow itself down and as such will
keep on sending packets (which are only being dropped and retransmitted yet
all over again)


Summary: In my opinion, allow a few ICMPS (source quench, and the misc
unreachables) and deny everything else (incoming)....

Just my opinion though,
Imhotep

Re: Ok to let all ICMP traffic through firewall?

Leythos wrote:

> In article <176uZD2KcidF-pn2-yKJP7XquDBiB@rikki.tavi.co.uk>, rde42
> @spamcop.net says...
>> On Thu, 22 Sep 2005 23:13:55 UTC, Leythos wrote:
>>
>> > > In practice, you need to let a few ICMP messages through, then. For
>> > > example, source quench and destination unreachable.
>> >
>> > Wrong, you don't NEED to allow anything. You may FEEL that you do, but
>> > we've got almost 100 networks that don't allow ICMP or anything else
>> > inbound and they work just fine, and we'll not change them.
>>
>> You're wrong. But that's fine. You just carry on.
>
> Then, when we're running along for the last few years, blocking all ICMP
> inbound and at the firewall, what are we denying ourselves?
>
> It seems that our networks work, that we can VPN into the office just
> fine, etc...
>
> It seems that all of our dedicated IPSec tunnels to partners work fine,
> it seems that our systems with web servers, OWA services, etc.. all work
> just fine.....
>

Honestly, you CAN block all ICMP types, however, it is not optimal. Some
ICMPS are in fact needed for normal TCP/UDP/IP operations (well, efficient
anyway)....ie without flow control, it will appear that things are
"hanging" equating to those nasty users saying the "network is slow"...when
in fact the host has not been informed to slow itself down and as such will
keep on sending packets (which are only being dropped and retransmitted yet
all over again)


Summary: In my opinion, allow a few ICMPS (source quench, and the misc
unreachables) and deny everything else (incoming)....

Just my opinion though,
Imhotep

Re: Ok to let all ICMP traffic through firewall?

In comp.security.firewalls Mark wrote:
>
>
> Yes it is, ever heard of PING NMAP?
>
> Google it and security and firewalls.
>

or PING of Death?

--
Consultants are mystical people who ask a company for a number and then
give it back to them.

MSN/Mail: pboosten at hotmail dot com

Re: Ok to let all ICMP traffic through firewall?

In comp.security.firewalls Mark wrote:
>
>
> Yes it is, ever heard of PING NMAP?
>
> Google it and security and firewalls.
>

or PING of Death?

--
Consultants are mystical people who ask a company for a number and then
give it back to them.

MSN/Mail: pboosten at hotmail dot com

Re: Ok to let all ICMP traffic through firewall?

Peter wrote:
> Franklin wrote:
>
>>My question is Should a firewall let all ICMP traffic through
>>because there is no real risk if they do?
>
>
> No, because some ICMP messages aren't useful. However blocking all
> ICMP is throwing the baby out with the bathwater and will cause more
> bother than not blocking anything.
>
> I would suggest allowing ICMP Echo and Echo Reply (so ping works),
> Destination Unreachable (which includes "fragmentation required",
> essential for PMTUD to work) and Time Exceeded (so traceroute works.)
> Everything else looks to be fair game to drop.

But a decent firewall will be stateful - so eg outbound ping will enable
the reply to be received. No-one 'out there' has any business pinging
me so they don't get to do it.

I am well aware it's against the rules, but I block all unsolicited
inbound icmp - never noticed any problems. I'm afraid the rfc's were
drawn up in a less dangerous internet age :-(

>
> While I'm suggesting firewall rules, can people also not silently drop
> SYNs to port 113 please? All sorts of servers try RFC1413 lookups and
> stall while waiting for a response. The firewall user is usually the
> first to complain that it's taking ages to connect to a certain remote
> server.
>
Agreed. A real pain for some smtp servers in particular. My firewall
just sends a reset.

--
Please use the corrected version of the address below for replies.
Replies to the header address will be junked, as will mail from
various domains listed at www.scottsonline.org.uk
Mike Scott Harlow Essex England.(unet -a-t- scottsonline.org.uk)

Re: Ok to let all ICMP traffic through firewall?

Peter wrote:
> Franklin wrote:
>
>>My question is Should a firewall let all ICMP traffic through
>>because there is no real risk if they do?
>
>
> No, because some ICMP messages aren't useful. However blocking all
> ICMP is throwing the baby out with the bathwater and will cause more
> bother than not blocking anything.
>
> I would suggest allowing ICMP Echo and Echo Reply (so ping works),
> Destination Unreachable (which includes "fragmentation required",
> essential for PMTUD to work) and Time Exceeded (so traceroute works.)
> Everything else looks to be fair game to drop.

But a decent firewall will be stateful - so eg outbound ping will enable
the reply to be received. No-one 'out there' has any business pinging
me so they don't get to do it.

I am well aware it's against the rules, but I block all unsolicited
inbound icmp - never noticed any problems. I'm afraid the rfc's were
drawn up in a less dangerous internet age :-(

>
> While I'm suggesting firewall rules, can people also not silently drop
> SYNs to port 113 please? All sorts of servers try RFC1413 lookups and
> stall while waiting for a response. The firewall user is usually the
> first to complain that it's taking ages to connect to a certain remote
> server.
>
Agreed. A real pain for some smtp servers in particular. My firewall
just sends a reset.

--
Please use the corrected version of the address below for replies.
Replies to the header address will be junked, as will mail from
various domains listed at www.scottsonline.org.uk
Mike Scott Harlow Essex England.(unet -a-t- scottsonline.org.uk)

Re: Ok to let all ICMP traffic through firewall?

Post removed (X-No-Archive: yes)

Re: Ok to let all ICMP traffic through firewall?

Post removed (X-No-Archive: yes)

Re: Ok to let all ICMP traffic through firewall?

In comp.security.firewalls Franklin wrote:
> My question is Should a firewall let all ICMP traffic through because
> there is no real risk if they do?

It does not need to let _all_ ICMP traffic through. But it would be a
good idea not to deny every ICMP traffic.

It is a good idea to allow at least ICMP messages of the
types 0, 3, 4, 8, 11, 12, see RFC 792.

F'up2 comp.security.firewalls.

Yours,
VB.
--
"Es kann nicht sein, dass die Frustrierten in Rom bestimmen, was in
deutschen Schlafzimmern passiert".
Harald Schmidt zum "Weltjugendtag"

Re: Ok to let all ICMP traffic through firewall?

In comp.security.firewalls Franklin wrote:
> My question is Should a firewall let all ICMP traffic through because
> there is no real risk if they do?

It does not need to let _all_ ICMP traffic through. But it would be a
good idea not to deny every ICMP traffic.

It is a good idea to allow at least ICMP messages of the
types 0, 3, 4, 8, 11, 12, see RFC 792.

F'up2 comp.security.firewalls.

Yours,
VB.
--
"Es kann nicht sein, dass die Frustrierten in Rom bestimmen, was in
deutschen Schlafzimmern passiert".
Harald Schmidt zum "Weltjugendtag"

Re: Ok to let all ICMP traffic through firewall?

In comp.security.firewalls jameshanley39@yahoo.co.uk wrote:
> it is my understanding that stealthing ports has absolutely nothing to
> do with ICMP.

Oh yes, it has. Please read RFC 792, or just read <43088aac@news.uni-ulm.de>

F'up2 comp.security.firewalls

Yours,
VB.
--
"Es kann nicht sein, dass die Frustrierten in Rom bestimmen, was in
deutschen Schlafzimmern passiert".
Harald Schmidt zum "Weltjugendtag"

Re: Ok to let all ICMP traffic through firewall?

In comp.security.firewalls jameshanley39@yahoo.co.uk wrote:
> it is my understanding that stealthing ports has absolutely nothing to
> do with ICMP.

Oh yes, it has. Please read RFC 792, or just read <43088aac@news.uni-ulm.de>

F'up2 comp.security.firewalls

Yours,
VB.
--
"Es kann nicht sein, dass die Frustrierten in Rom bestimmen, was in
deutschen Schlafzimmern passiert".
Harald Schmidt zum "Weltjugendtag"

Re: Ok to let all ICMP traffic through firewall?

On 22 Sep 2005 22:36:09 GMT, abuse@dopiaza.cabal.org.uk (Peter) wrote:

>I would suggest allowing ICMP Echo and Echo Reply (so ping works),


Be sure to deny Echo Request that is sent to the broadcast address for
your subnet (.255 and .0 for /24 subnets). If a malicious person
sends several hundred of those per second, you'll wind up with a lot
of ICMP traffic on your subnet as each host tries to send back the
reply.

Re: Ok to let all ICMP traffic through firewall?

On 22 Sep 2005 22:36:09 GMT, abuse@dopiaza.cabal.org.uk (Peter) wrote:

>I would suggest allowing ICMP Echo and Echo Reply (so ping works),


Be sure to deny Echo Request that is sent to the broadcast address for
your subnet (.255 and .0 for /24 subnets). If a malicious person
sends several hundred of those per second, you'll wind up with a lot
of ICMP traffic on your subnet as each host tries to send back the
reply.

Re: Ok to let all ICMP traffic through firewall?

Mike Scott wrote:
[...]
> But a decent firewall will be stateful - so eg outbound ping will
> enable the reply to be received. No-one 'out there' has any business
> pinging me so they don't get to do it.

That's your local policy, but not mine. I allow some remote sites to
ping me as part of mutual reachability testing.

> I am well aware it's against the rules, but I block all unsolicited
> inbound icmp - never noticed any problems. I'm afraid the rfc's were
> drawn up in a less dangerous internet age :-(

You block Destination Unreachable as well?

--
The poverty from which I have suffered could be diagnosed as "Soho" poverty. It
comes from having the airs and graces of a genius and no talent.
- Quentin Crisp

Re: Ok to let all ICMP traffic through firewall?

Mike Scott wrote:
[...]
> But a decent firewall will be stateful - so eg outbound ping will
> enable the reply to be received. No-one 'out there' has any business
> pinging me so they don't get to do it.

That's your local policy, but not mine. I allow some remote sites to
ping me as part of mutual reachability testing.

> I am well aware it's against the rules, but I block all unsolicited
> inbound icmp - never noticed any problems. I'm afraid the rfc's were
> drawn up in a less dangerous internet age :-(

You block Destination Unreachable as well?

--
The poverty from which I have suffered could be diagnosed as "Soho" poverty. It
comes from having the airs and graces of a genius and no talent.
- Quentin Crisp

Re: Ok to let all ICMP traffic through firewall?

Leythos sez:
> In article <176uZD2KcidF-pn2-yKJP7XquDBiB@rikki.tavi.co.uk>, rde42
> @spamcop.net says...
>> On Thu, 22 Sep 2005 23:13:55 UTC, Leythos wrote:
>>
>> > > In practice, you need to let a few ICMP messages through, then. For
>> > > example, source quench and destination unreachable.
>> >
>> > Wrong, you don't NEED to allow anything. You may FEEL that you do, but
>> > we've got almost 100 networks that don't allow ICMP or anything else
>> > inbound and they work just fine, and we'll not change them.
>>
>> You're wrong. But that's fine. You just carry on.
>
> Then, when we're running along for the last few years, blocking all ICMP
> inbound and at the firewall, what are we denying ourselves?

Your 100 networks are not, strictly speaking, a part of the Internet
since they don't comply with the Internet standards.

HTH, HANL
Dima
--
All whitespace is equivalent except in certain situations
-- ANSI C standard committee

Re: Ok to let all ICMP traffic through firewall?

Leythos sez:
> In article <176uZD2KcidF-pn2-yKJP7XquDBiB@rikki.tavi.co.uk>, rde42
> @spamcop.net says...
>> On Thu, 22 Sep 2005 23:13:55 UTC, Leythos wrote:
>>
>> > > In practice, you need to let a few ICMP messages through, then. For
>> > > example, source quench and destination unreachable.
>> >
>> > Wrong, you don't NEED to allow anything. You may FEEL that you do, but
>> > we've got almost 100 networks that don't allow ICMP or anything else
>> > inbound and they work just fine, and we'll not change them.
>>
>> You're wrong. But that's fine. You just carry on.
>
> Then, when we're running along for the last few years, blocking all ICMP
> inbound and at the firewall, what are we denying ourselves?

Your 100 networks are not, strictly speaking, a part of the Internet
since they don't comply with the Internet standards.

HTH, HANL
Dima
--
All whitespace is equivalent except in certain situations
-- ANSI C standard committee

Re: Ok to let all ICMP traffic through firewall?

Peter wrote:
> Mike Scott wrote:
> [...]
>
>>But a decent firewall will be stateful - so eg outbound ping will
>>enable the reply to be received. No-one 'out there' has any business
>>pinging me so they don't get to do it.
>
>
> That's your local policy, but not mine. I allow some remote sites to
> ping me as part of mutual reachability testing.

Sounds like you're allowing them proper access. Fine by me :-)
>
>
>>I am well aware it's against the rules, but I block all unsolicited
>>inbound icmp - never noticed any problems. I'm afraid the rfc's were
>>drawn up in a less dangerous internet age :-(
>
>
> You block Destination Unreachable as well?
>
I believe (may be wrong though) that ipf is pretty clever about what it
lets through or not. Dest ureachable must match existing outbound
packets before it's useful, and I believe ipf will let appropriate (ie
implicitly "solicited") ones through. No doubt someone will correct me
if I'm wrong!

--
Please use the corrected version of the address below for replies.
Replies to the header address will be junked, as will mail from
various domains listed at www.scottsonline.org.uk
Mike Scott Harlow Essex England.(unet -a-t- scottsonline.org.uk)

Re: Ok to let all ICMP traffic through firewall?

Peter wrote:
> Mike Scott wrote:
> [...]
>
>>But a decent firewall will be stateful - so eg outbound ping will
>>enable the reply to be received. No-one 'out there' has any business
>>pinging me so they don't get to do it.
>
>
> That's your local policy, but not mine. I allow some remote sites to
> ping me as part of mutual reachability testing.

Sounds like you're allowing them proper access. Fine by me :-)
>
>
>>I am well aware it's against the rules, but I block all unsolicited
>>inbound icmp - never noticed any problems. I'm afraid the rfc's were
>>drawn up in a less dangerous internet age :-(
>
>
> You block Destination Unreachable as well?
>
I believe (may be wrong though) that ipf is pretty clever about what it
lets through or not. Dest ureachable must match existing outbound
packets before it's useful, and I believe ipf will let appropriate (ie
implicitly "solicited") ones through. No doubt someone will correct me
if I'm wrong!

--
Please use the corrected version of the address below for replies.
Replies to the header address will be junked, as will mail from
various domains listed at www.scottsonline.org.uk
Mike Scott Harlow Essex England.(unet -a-t- scottsonline.org.uk)

Re: Ok to let all ICMP traffic through firewall?

Post removed (X-No-Archive: yes)

Re: Ok to let all ICMP traffic through firewall?

Post removed (X-No-Archive: yes)

Re: Ok to let all ICMP traffic through firewall?

Peter Boosten wrote:
> In comp.security.firewalls Mark wrote:
> >
> >
> > Yes it is, ever heard of PING NMAP?
> >
> > Google it and security and firewalls.
> >
>
> or PING of Death?
>
> --

that is indeed a logical reason to block ping. One wouldn't expect An
error in the ICMP protocol. But, ping of death, is probably an error
in the software handling ICMP, rather than the ICMP protocol itself.

Re: Ok to let all ICMP traffic through firewall?

Peter Boosten wrote:
> In comp.security.firewalls Mark wrote:
> >
> >
> > Yes it is, ever heard of PING NMAP?
> >
> > Google it and security and firewalls.
> >
>
> or PING of Death?
>
> --

that is indeed a logical reason to block ping. One wouldn't expect An
error in the ICMP protocol. But, ping of death, is probably an error
in the software handling ICMP, rather than the ICMP protocol itself.

Re: Ok to let all ICMP traffic through firewall?

Leythos wrote:
> In article <1127439270.085843.66150@z14g2000cwz.googlegroups.com>,
> jameshanley39@yahoo.co.uk says...
> > Leythos wrote:
> > > In article <176uZD2KcidF-pn2-yKJP7XquDBiB@rikki.tavi.co.uk>, rde42
> > > @spamcop.net says...
> > > > On Thu, 22 Sep 2005 23:13:55 UTC, Leythos wrote:
> > > >
> > > > > > In practice, you need to let a few ICMP messages through, then. For
> > > > > > example, source quench and destination unreachable.
> > > > >
> > > > > Wrong, you don't NEED to allow anything. You may FEEL that you do, but
> > > > > we've got almost 100 networks that don't allow ICMP or anything else
> > > > > inbound and they work just fine, and we'll not change them.
> > > >
> > > > You're wrong. But that's fine. You just carry on.
> > >
> > > Then, when we're running along for the last few years, blocking all ICMP
> > > inbound and at the firewall, what are we denying ourselves?
> > >
> > > It seems that our networks work, that we can VPN into the office just
> > > fine, etc...
> > >
> > > It seems that all of our dedicated IPSec tunnels to partners work fine,
> > > it seems that our systems with web servers, OWA services, etc.. all work
> > > just fine.....
> > >
> > > --
> >
> > and they'd still work fine if you allowed ICMPs. If allowing ICMPs
> > were dangerous then alarms would've been sent off long ago. ICMP has
> > been aroudn for ages, there are no new developments to the ICMP
> > protocol. People that know all about how it works also know of no
> > alarms saying it can be attacked.
> [snip]
>
> So, you're saying that it doesn't break any functionality that we use to
> block it, so we should allow it because the designers of it are almost
> positive that there is no exploit for it, but, since it's not going to
> hurt anything that even though I don't need it, I should allow it, even
> though I don't need it......
>
> If I don't need it I don't allow it - it's a very simple matter of
> security - never expose anything that you don't need to expose.
>
> --

and - as you said - if you did want ICMP responses, you could rsetrict
ICMP responses to hosts of your choosing.

but what if an ISP or non ISP telephone computer tech is diagnosing a
non technical home user. The user doesn't have the ability to block
ICMP on only certain hosts. The homse user isn't running any services
either(may be behind a NAT device). Ping is ideal in this instance.
what other option is there to see that he is online,. as a first step
in diagnosing the problem?

Re: Ok to let all ICMP traffic through firewall?

Leythos wrote:
> In article <1127439270.085843.66150@z14g2000cwz.googlegroups.com>,
> jameshanley39@yahoo.co.uk says...
> > Leythos wrote:
> > > In article <176uZD2KcidF-pn2-yKJP7XquDBiB@rikki.tavi.co.uk>, rde42
> > > @spamcop.net says...
> > > > On Thu, 22 Sep 2005 23:13:55 UTC, Leythos wrote:
> > > >
> > > > > > In practice, you need to let a few ICMP messages through, then. For
> > > > > > example, source quench and destination unreachable.
> > > > >
> > > > > Wrong, you don't NEED to allow anything. You may FEEL that you do, but
> > > > > we've got almost 100 networks that don't allow ICMP or anything else
> > > > > inbound and they work just fine, and we'll not change them.
> > > >
> > > > You're wrong. But that's fine. You just carry on.
> > >
> > > Then, when we're running along for the last few years, blocking all ICMP
> > > inbound and at the firewall, what are we denying ourselves?
> > >
> > > It seems that our networks work, that we can VPN into the office just
> > > fine, etc...
> > >
> > > It seems that all of our dedicated IPSec tunnels to partners work fine,
> > > it seems that our systems with web servers, OWA services, etc.. all work
> > > just fine.....
> > >
> > > --
> >
> > and they'd still work fine if you allowed ICMPs. If allowing ICMPs
> > were dangerous then alarms would've been sent off long ago. ICMP has
> > been aroudn for ages, there are no new developments to the ICMP
> > protocol. People that know all about how it works also know of no
> > alarms saying it can be attacked.
> [snip]
>
> So, you're saying that it doesn't break any functionality that we use to
> block it, so we should allow it because the designers of it are almost
> positive that there is no exploit for it, but, since it's not going to
> hurt anything that even though I don't need it, I should allow it, even
> though I don't need it......
>
> If I don't need it I don't allow it - it's a very simple matter of
> security - never expose anything that you don't need to expose.
>
> --

and - as you said - if you did want ICMP responses, you could rsetrict
ICMP responses to hosts of your choosing.

but what if an ISP or non ISP telephone computer tech is diagnosing a
non technical home user. The user doesn't have the ability to block
ICMP on only certain hosts. The homse user isn't running any services
either(may be behind a NAT device). Ping is ideal in this instance.
what other option is there to see that he is online,. as a first step
in diagnosing the problem?

Re: Ok to let all ICMP traffic through firewall?

Post removed (X-No-Archive: yes)

Re: Ok to let all ICMP traffic through firewall?

Post removed (X-No-Archive: yes)

Re: Ok to let all ICMP traffic through firewall?

On 23 Sep 2005 12:27:46 +0200, Volker Birk wrote:

>In comp.security.firewalls Franklin wrote:
>> My question is Should a firewall let all ICMP traffic through because
>> there is no real risk if they do?
>
>It does not need to let _all_ ICMP traffic through. But it would be a
>good idea not to deny every ICMP traffic.
>
>It is a good idea to allow at least ICMP messages of the
>types 0, 3, 4, 8, 11, 12, see RFC 792.

Thank you. Finally a straight answer.

Re: Ok to let all ICMP traffic through firewall?

Leythos sez:
> In article , dima@
> 127.0.0.1 says...
....
>> > Then, when we're running along for the last few years, blocking all ICMP
>> > inbound and at the firewall, what are we denying ourselves?
>>
>> Your 100 networks are not, strictly speaking, a part of the Internet
>> since they don't comply with the Internet standards.
....
> The net is more than your narrow definition, there is a Use side, a
> Provide side, and a shared side.

Which part of "standard" do you not understand? Here's hint: it
does not mean "flag" in this context.

Dima
--
Sufficiently advanced incompetence is indistinguishable from malice.

Re: Ok to let all ICMP traffic through firewall?

Leythos sez:
> In article , dima@
> 127.0.0.1 says...
....
>> > Then, when we're running along for the last few years, blocking all ICMP
>> > inbound and at the firewall, what are we denying ourselves?
>>
>> Your 100 networks are not, strictly speaking, a part of the Internet
>> since they don't comply with the Internet standards.
....
> The net is more than your narrow definition, there is a Use side, a
> Provide side, and a shared side.

Which part of "standard" do you not understand? Here's hint: it
does not mean "flag" in this context.

Dima
--
Sufficiently advanced incompetence is indistinguishable from malice.

Re: Ok to let all ICMP traffic through firewall?

On Fri, 23 Sep 2005 17:36:47 GMT, Leythos wrote:

>> but what if an ISP or non ISP telephone computer tech is diagnosing a
>> non technical home user. The user doesn't have the ability to block
>> ICMP on only certain hosts. The homse user isn't running any services
>> either(may be behind a NAT device). Ping is ideal in this instance.
>> what other option is there to see that he is online,. as a first step
>> in diagnosing the problem?
>
>Sorry, that's not a good reason. The ISP can see if the modem is on-
>line, and the ISP can see if there is a connection between the modem and
>the NAT device or PC at the hardware level. You don't have to allow ping
>for any testing/reason, there are always ways around it.

I'm curious .... how does the ISP know?

In that vein, I noticed Sygate alerting on the kernel (I think it was)
calling out. Using the traffic log I found that the attempts were to
my ISP. Blocking the attempts has no effect on my internet activity,
as near as I can tell. I wonder what the purpose of this attempted
outbound might be. I don't use any software supplied by my ISP, so
it's not spyware (which some ISPs do use).

Art

http://home.epix.net/~artnpeg

Re: Ok to let all ICMP traffic through firewall?

On Fri, 23 Sep 2005 17:36:47 GMT, Leythos wrote:

>> but what if an ISP or non ISP telephone computer tech is diagnosing a
>> non technical home user. The user doesn't have the ability to block
>> ICMP on only certain hosts. The homse user isn't running any services
>> either(may be behind a NAT device). Ping is ideal in this instance.
>> what other option is there to see that he is online,. as a first step
>> in diagnosing the problem?
>
>Sorry, that's not a good reason. The ISP can see if the modem is on-
>line, and the ISP can see if there is a connection between the modem and
>the NAT device or PC at the hardware level. You don't have to allow ping
>for any testing/reason, there are always ways around it.

I'm curious .... how does the ISP know?

In that vein, I noticed Sygate alerting on the kernel (I think it was)
calling out. Using the traffic log I found that the attempts were to
my ISP. Blocking the attempts has no effect on my internet activity,
as near as I can tell. I wonder what the purpose of this attempted
outbound might be. I don't use any software supplied by my ISP, so
it's not spyware (which some ISPs do use).

Art

http://home.epix.net/~artnpeg

Re: Ok to let all ICMP traffic through firewall?

Post removed (X-No-Archive: yes)

Re: Ok to let all ICMP traffic through firewall?

Post removed (X-No-Archive: yes)

Re: Ok to let all ICMP traffic through firewall?

Post removed (X-No-Archive: yes)

Re: Ok to let all ICMP traffic through firewall?

Post removed (X-No-Archive: yes)

Re: Ok to let all ICMP traffic through firewall?

In article <4333d8a2@news.uni-ulm.de>, bumens@dingens.org says...
> In comp.security.firewalls Franklin wrote:
> > My question is Should a firewall let all ICMP traffic through because
> > there is no real risk if they do?
>
> It does not need to let _all_ ICMP traffic through. But it would be a
> good idea not to deny every ICMP traffic.
>
> It is a good idea to allow at least ICMP messages of the
> types 0, 3, 4, 8, 11, 12, see RFC 792.
>
> F'up2 comp.security.firewalls.
>
> Yours,
> VB.
>
Which ones incoming and which ones outgoing?
Thanks, Casey

Re: Ok to let all ICMP traffic through firewall?

Casey Klc wrote:
> > It is a good idea to allow at least ICMP messages of the
> > types 0, 3, 4, 8, 11, 12, see RFC 792.
> > F'up2 comp.security.firewalls.
> Which ones incoming and which ones outgoing?

Please read RFC 792, then you'll understand.

Yours,
VB.
--
"Es kann nicht sein, dass die Frustrierten in Rom bestimmen, was in
deutschen Schlafzimmern passiert".
Harald Schmidt zum "Weltjugendtag"

Re: Ok to let all ICMP traffic through firewall?

On Fri, 23 Sep 2005 16:30:33 UTC, Leythos wrote:

> > Your 100 networks are not, strictly speaking, a part of the Internet
> > since they don't comply with the Internet standards.
>
> The there are many users/companies that are not part of the Internet as
> many companies block many of the services provided for in the RFC's.
> Blocking Ping is very common, as is blocking inbound 135~139, 445, FTP,
> etc...

You are confusing two different layers. Blocking ICMP is one thing, but
not supporting an application protocol is quite another. It worries me
that you don't appear to understand the difference.

> No where in the RFC's does is say that it's mandated that I must offer
> services in order to use the Internet networks.

ICMP isn't a service, but part of the underlying protocol stack; a fact
which you ignore because you apparently don't know any better.

--
[ 7'ism - a condition by which the sufferer experiences an inability
to give concise answers, express reasoned argument or opinion.
Usually accompanied by silly noises and gestures - incurable, early
euthanasia recommended. ]

Re: Ok to let all ICMP traffic through firewall?

On Fri, 23 Sep 2005 16:30:33 UTC, Leythos wrote:

> > Your 100 networks are not, strictly speaking, a part of the Internet
> > since they don't comply with the Internet standards.
>
> The there are many users/companies that are not part of the Internet as
> many companies block many of the services provided for in the RFC's.
> Blocking Ping is very common, as is blocking inbound 135~139, 445, FTP,
> etc...

You are confusing two different layers. Blocking ICMP is one thing, but
not supporting an application protocol is quite another. It worries me
that you don't appear to understand the difference.

> No where in the RFC's does is say that it's mandated that I must offer
> services in order to use the Internet networks.

ICMP isn't a service, but part of the underlying protocol stack; a fact
which you ignore because you apparently don't know any better.

--
[ 7'ism - a condition by which the sufferer experiences an inability
to give concise answers, express reasoned argument or opinion.
Usually accompanied by silly noises and gestures - incurable, early
euthanasia recommended. ]

Re: Ok to let all ICMP traffic through firewall?

On Fri, 23 Sep 2005 19:01:45 GMT, Leythos
wrote:

> So, show me where our decision to not allow ICMP hurts our ability to
> provide the services we do, impacts our ability to use Internet
> services, or our ability to share information with our business
> partners, or stuff it.

How do you handle PMTU discovery - or do you prevent segments with the
DF bit set leaving your network, or do you mangle the headers and
remove the DF flag, or do you just accept that some sites on that
Internet may not be reachable from nodes on your network, or do you
rely on Windows rather inefficent "PMTU Blackhole discovery" feature
working ?

If you don't allow *any* inbound ICMP and don't implement effective
work arounds then you (or your network users) would have some problems
with all of my locally hosted servers - but then you don't have
access anyway, so you maybe you can live with the fact that your
implementation is broken ;-)

PS - You are not alone in your screwed up thinking - the company I
used to work for adopted a similar policy, and it effectively
caused all my VPN connections from work to home to fail. Easy
to 'fix' since I controlled the 'home' end of the VPN, but not
necessarily quite so easy to fix for an arbitary site on the
Internet.

Re: Ok to let all ICMP traffic through firewall?

On Fri, 23 Sep 2005 19:01:45 GMT, Leythos
wrote:

> So, show me where our decision to not allow ICMP hurts our ability to
> provide the services we do, impacts our ability to use Internet
> services, or our ability to share information with our business
> partners, or stuff it.

How do you handle PMTU discovery - or do you prevent segments with the
DF bit set leaving your network, or do you mangle the headers and
remove the DF flag, or do you just accept that some sites on that
Internet may not be reachable from nodes on your network, or do you
rely on Windows rather inefficent "PMTU Blackhole discovery" feature
working ?

If you don't allow *any* inbound ICMP and don't implement effective
work arounds then you (or your network users) would have some problems
with all of my locally hosted servers - but then you don't have
access anyway, so you maybe you can live with the fact that your
implementation is broken ;-)

PS - You are not alone in your screwed up thinking - the company I
used to work for adopted a similar policy, and it effectively
caused all my VPN connections from work to home to fail. Easy
to 'fix' since I controlled the 'home' end of the VPN, but not
necessarily quite so easy to fix for an arbitary site on the
Internet.

Re: Ok to let all ICMP traffic through firewall?

Leythos wrote:
> (or more if your device has multiple ports)

Are you telling me they can read your router's ARP table then?

Steve

Re: Ok to let all ICMP traffic through firewall?

Leythos wrote:
> (or more if your device has multiple ports)

Are you telling me they can read your router's ARP table then?

Steve

Re: Ok to let all ICMP traffic through firewall?

Leythos wrote:
>
> So, you've failed to show why I must allow ANY form of ICPM, other than
> you whining about the RFC's - my network designs do not require any
> public exposure of ICPM, don't break anything that our partners or our
> network needs, and provide one less exposure (actually many less, ICMP
> is just one example)....
>

I guess that you and your company would be quite happy then if your ISP,
and other up-line carriers decided not to route any traffic from a
network that was not RFC compliant?

Think not ;)

Steve

Re: Ok to let all ICMP traffic through firewall?

Leythos wrote:
>
> So, you've failed to show why I must allow ANY form of ICPM, other than
> you whining about the RFC's - my network designs do not require any
> public exposure of ICPM, don't break anything that our partners or our
> network needs, and provide one less exposure (actually many less, ICMP
> is just one example)....
>

I guess that you and your company would be quite happy then if your ISP,
and other up-line carriers decided not to route any traffic from a
network that was not RFC compliant?

Think not ;)

Steve

Re: Ok to let all ICMP traffic through firewall?

In article ,
Leythos wrote:
>Here is the RFC's introduction to the ICMP - and it even includes
>statements that indicate that it's not foolproof, some datagrams may
>still be lost, and that other protocols may not use it, that
>communications can be unreliable.....

The passages you refer to are talking about _IP_ and the use of ICMP
packets to report errors situations in IP. The words not foolproof etc
refer to IP not ICMP.

Mike

Re: Ok to let all ICMP traffic through firewall?

In article ,
Leythos wrote:
>Here is the RFC's introduction to the ICMP - and it even includes
>statements that indicate that it's not foolproof, some datagrams may
>still be lost, and that other protocols may not use it, that
>communications can be unreliable.....

The passages you refer to are talking about _IP_ and the use of ICMP
packets to report errors situations in IP. The words not foolproof etc
refer to IP not ICMP.

Mike

Re: Ok to let all ICMP traffic through firewall?

Post removed (X-No-Archive: yes)

Re: Ok to let all ICMP traffic through firewall?

Post removed (X-No-Archive: yes)

Re: Ok to let all ICMP traffic through firewall?

Post removed (X-No-Archive: yes)

Re: Ok to let all ICMP traffic through firewall?

Post removed (X-No-Archive: yes)

Re: Ok to let all ICMP traffic through firewall?

Post removed (X-No-Archive: yes)

Re: Ok to let all ICMP traffic through firewall?

Post removed (X-No-Archive: yes)

Re: Ok to let all ICMP traffic through firewall?

Post removed (X-No-Archive: yes)

Re: Ok to let all ICMP traffic through firewall?

Post removed (X-No-Archive: yes)

Re: Ok to let all ICMP traffic through firewall?

On Sat, 24 Sep 2005 02:04:37 UTC, Leythos wrote:

> In article <176uZD2KcidF-pn2-pu05rwv5JXnr@rikki.tavi.co.uk>, rde42
> @spamcop.net says...
> >
> > ICMP isn't a service, but part of the underlying protocol stack; a fact
> > which you ignore because you apparently don't know any better.
>
> Sorry to have confused you with other things I block. You said that I
> was breaking things by not allowing ICMP, I said that many security
> types block most things, not just ICMP and also indicated some things I
> block.

By bundling the two together, you indicated a lack of understanding of
the difference...

"Blocking Ping is very common, as is blocking inbound 135~139, 445, FTP,
etc..."

> Nothing in the RFC indicates I have to permit ICMP of any type - please
> show where it's mandated if you want to continue this, oh, and don't
> quote the RFC since I've already read it, years ago, and it's not
> mandated that I permit any ICMP inbound to my network.

As I said before...do what you like...it'll be your problem, not mine.
Oh, and I probably read the RFC long before you, anyway.

--
[ 7'ism - a condition by which the sufferer experiences an inability
to give concise answers, express reasoned argument or opinion.
Usually accompanied by silly noises and gestures - incurable, early
euthanasia recommended. ]

Re: Ok to let all ICMP traffic through firewall?

On Sat, 24 Sep 2005 02:04:37 UTC, Leythos wrote:

> In article <176uZD2KcidF-pn2-pu05rwv5JXnr@rikki.tavi.co.uk>, rde42
> @spamcop.net says...
> >
> > ICMP isn't a service, but part of the underlying protocol stack; a fact
> > which you ignore because you apparently don't know any better.
>
> Sorry to have confused you with other things I block. You said that I
> was breaking things by not allowing ICMP, I said that many security
> types block most things, not just ICMP and also indicated some things I
> block.

By bundling the two together, you indicated a lack of understanding of
the difference...

"Blocking Ping is very common, as is blocking inbound 135~139, 445, FTP,
etc..."

> Nothing in the RFC indicates I have to permit ICMP of any type - please
> show where it's mandated if you want to continue this, oh, and don't
> quote the RFC since I've already read it, years ago, and it's not
> mandated that I permit any ICMP inbound to my network.

As I said before...do what you like...it'll be your problem, not mine.
Oh, and I probably read the RFC long before you, anyway.

--
[ 7'ism - a condition by which the sufferer experiences an inability
to give concise answers, express reasoned argument or opinion.
Usually accompanied by silly noises and gestures - incurable, early
euthanasia recommended. ]

Re: Ok to let all ICMP traffic through firewall?

On Sat, 24 Sep 2005 02:08:27 UTC, Leythos wrote:

> In article , mike@duncodin.org says...
> > In article ,
> > Leythos wrote:
> > >Here is the RFC's introduction to the ICMP - and it even includes
> > >statements that indicate that it's not foolproof, some datagrams may
> > >still be lost, and that other protocols may not use it, that
> > >communications can be unreliable.....
> >
> > The passages you refer to are talking about _IP_ and the use of ICMP
> > packets to report errors situations in IP. The words not foolproof etc
> > refer to IP not ICMP.
>
> Which does not change the fact that I can limit ICMP to my non-partners
> without impact on our communications.

Well, you think you can.

--
[ 7'ism - a condition by which the sufferer experiences an inability
to give concise answers, express reasoned argument or opinion.
Usually accompanied by silly noises and gestures - incurable, early
euthanasia recommended. ]

Re: Ok to let all ICMP traffic through firewall?

On Sat, 24 Sep 2005 02:08:27 UTC, Leythos wrote:

> In article , mike@duncodin.org says...
> > In article ,
> > Leythos wrote:
> > >Here is the RFC's introduction to the ICMP - and it even includes
> > >statements that indicate that it's not foolproof, some datagrams may
> > >still be lost, and that other protocols may not use it, that
> > >communications can be unreliable.....
> >
> > The passages you refer to are talking about _IP_ and the use of ICMP
> > packets to report errors situations in IP. The words not foolproof etc
> > refer to IP not ICMP.
>
> Which does not change the fact that I can limit ICMP to my non-partners
> without impact on our communications.

Well, you think you can.

--
[ 7'ism - a condition by which the sufferer experiences an inability
to give concise answers, express reasoned argument or opinion.
Usually accompanied by silly noises and gestures - incurable, early
euthanasia recommended. ]

Re: Ok to let all ICMP traffic through firewall?

Post removed (X-No-Archive: yes)

Re: Ok to let all ICMP traffic through firewall?

Post removed (X-No-Archive: yes)

Re: Ok to let all ICMP traffic through firewall?

"Leythos" wrote in message
news:MPG.1d9d1560b23ca33698a0fe@news-server.columbus.rr.com. ..
> In article , abuse@[127.0.0.1]
> says...



> > Undoubtedly the case. Although one could quote lots of instances where
it's
> > been damned useful.
> >
> > Well, *I* certainly can - usually when the web server has had a bit of a
> > funny turn, and one needs to tell if it's the server behind the firewall
> > (fat chance of fixing something from an adjacent continent), or whether
it's
> > the ISP playing silly buggers with the connection (marginally more hope
of
> > getting something sorted).
> >
> > As goes firewalls - I'm sure that most have already seen it, but:
> >
http://www.dilbert.com/comics/dilbert/archive/images/dilbert 2813960050912.gif
>
> Funny, I don't expose our servers to Ping, and I seem to be able to
> monitor them all the time. If I need to expose PING to an external
> source I expose it to a specific IP and block all others.

I should have clarified (thought that it was clear from the context.. ah
well ;o)

This is monitorin my services from *outside* of the network.

Like most non-ISPs, I don't have a dedicated 24x7 staff to monitor systems
(this is a home network, before someone starts slinging companies that *do*
have this requirement).

On the Ping front, you'll find that the companies that you're hosting
(assuming that's what your part of the network does) are unlikely to appear
on many search engines - at least, that *used* to be the case - a "cheap"
PING before even attempting an HTTP GET.

Together, those made a pretty compelling case for me to switch ICMP back
on - I didn't (and still don't) see it as a major way threat to my firewall
(and, after all, that's as far as the packet's going to get, right?
Certainly not into the DMZ...)

H1K

Re: Ok to let all ICMP traffic through firewall?

"Leythos" wrote in message
news:MPG.1d9d1560b23ca33698a0fe@news-server.columbus.rr.com. ..
> In article , abuse@[127.0.0.1]
> says...



> > Undoubtedly the case. Although one could quote lots of instances where
it's
> > been damned useful.
> >
> > Well, *I* certainly can - usually when the web server has had a bit of a
> > funny turn, and one needs to tell if it's the server behind the firewall
> > (fat chance of fixing something from an adjacent continent), or whether
it's
> > the ISP playing silly buggers with the connection (marginally more hope
of
> > getting something sorted).
> >
> > As goes firewalls - I'm sure that most have already seen it, but:
> >
http://www.dilbert.com/comics/dilbert/archive/images/dilbert 2813960050912.gif
>
> Funny, I don't expose our servers to Ping, and I seem to be able to
> monitor them all the time. If I need to expose PING to an external
> source I expose it to a specific IP and block all others.

I should have clarified (thought that it was clear from the context.. ah
well ;o)

This is monitorin my services from *outside* of the network.

Like most non-ISPs, I don't have a dedicated 24x7 staff to monitor systems
(this is a home network, before someone starts slinging companies that *do*
have this requirement).

On the Ping front, you'll find that the companies that you're hosting
(assuming that's what your part of the network does) are unlikely to appear
on many search engines - at least, that *used* to be the case - a "cheap"
PING before even attempting an HTTP GET.

Together, those made a pretty compelling case for me to switch ICMP back
on - I didn't (and still don't) see it as a major way threat to my firewall
(and, after all, that's as far as the packet's going to get, right?
Certainly not into the DMZ...)

H1K

Re: Ok to let all ICMP traffic through firewall?

> By bundling the two together, you indicated a lack of understanding of
> the difference...
>
> "Blocking Ping is very common, as is blocking inbound 135~139, 445, FTP,
> etc..."
>

I think that it's a bit of a stretch to suggest that someone stating that
blocking ping is very common, as is blocking inbound traffic to "135~139,
445, FTP, etc..." shows a lack of understanding of the difference. I think
that you've missed his point.

I like Chinese food as well as the occasional Indian but just because they
are mentioned in the same sentence shouldn't lead anyone to the conclusion
that I don't understand the difference between the two.

Re: Ok to let all ICMP traffic through firewall?

> By bundling the two together, you indicated a lack of understanding of
> the difference...
>
> "Blocking Ping is very common, as is blocking inbound 135~139, 445, FTP,
> etc..."
>

I think that it's a bit of a stretch to suggest that someone stating that
blocking ping is very common, as is blocking inbound traffic to "135~139,
445, FTP, etc..." shows a lack of understanding of the difference. I think
that you've missed his point.

I like Chinese food as well as the occasional Indian but just because they
are mentioned in the same sentence shouldn't lead anyone to the conclusion
that I don't understand the difference between the two.

Re: Ok to let all ICMP traffic through firewall?

In comp.security.misc Dave Dowson wrote:
> On Sat, 24 Sep 2005 02:06:07 GMT, Leythos wrote:
> > I already said we allow ICMP with partners and have no problems with
> > VPN's, we do not allow ICMP with the world as a general rule, just with
> > approved partners.
> I still can't understand why you would want to deliberately break a
> valuable feature of IP - and do so in a way such that a user will have
> no idea why their connection to a specific site on the Internet may
> work in some cases but not in others. It's your choice how you
> configure your network, of course, but it seems a rather idiotic
> configuration to me.

Of course, it is.

Yours,
VB.
--
"Es kann nicht sein, dass die Frustrierten in Rom bestimmen, was in
deutschen Schlafzimmern passiert".
Harald Schmidt zum "Weltjugendtag"

Re: Ok to let all ICMP traffic through firewall?

In comp.security.misc Dave Dowson wrote:
> On Sat, 24 Sep 2005 02:06:07 GMT, Leythos wrote:
> > I already said we allow ICMP with partners and have no problems with
> > VPN's, we do not allow ICMP with the world as a general rule, just with
> > approved partners.
> I still can't understand why you would want to deliberately break a
> valuable feature of IP - and do so in a way such that a user will have
> no idea why their connection to a specific site on the Internet may
> work in some cases but not in others. It's your choice how you
> configure your network, of course, but it seems a rather idiotic
> configuration to me.

Of course, it is.

Yours,
VB.
--
"Es kann nicht sein, dass die Frustrierten in Rom bestimmen, was in
deutschen Schlafzimmern passiert".
Harald Schmidt zum "Weltjugendtag"

Re: Ok to let all ICMP traffic through firewall?

Volker Birk wrote:
> In comp.security.firewalls jameshanley39@yahoo.co.uk wrote:
> > it is my understanding that stealthing ports has absolutely nothing to
> > do with ICMP.
>
> Oh yes, it has. Please read RFC 792, or just read <43088aac@news.uni-ulm.de>
>
> F'up2 comp.security.firewalls
>

I agree that people stealth beause they think it makes them safer. And
it's pointless to stealth if they're not going to block ICMP too.
If they're trying to make themselves invisible, and they stealth their
ports, then blocking ICMP is very relevant. Fruthermore, perhaps
blocking ICMP makes more sense in terms of invisibility than stealthing
does. (I do not nkow how to check if one of my comps is online
remotely without pinging it)

is that what you meant? if so then you misunderstood me

My point is that technically they are totally different concepts.
Stealthing breaks TCP protocol. Blocking ICMP breaks ICMP protocol.
Differetn layers. Technically they have absolutely nothing to do with
each other. I'm sure I can set my firewall to stealth my ports(which
most PFWs do automatically), and respond to ICMP.


By the way. how can nmap test if a port is stealthed, whereas people
complain saying online scanners cannot say a port is stealthed? If
stealth gives no response whatsoever, then surely 'unable to determine'
is the best that either an onlien scanner or nmap can give. They can
only say "most likely it is stealthed".
and that assumes the comp exists, which if they can't ping it either ,
seems hard to tell

Re: Ok to let all ICMP traffic through firewall?

Post removed (X-No-Archive: yes)

Re: Ok to let all ICMP traffic through firewall?

Post removed (X-No-Archive: yes)

Re: Ok to let all ICMP traffic through firewall?

Post removed (X-No-Archive: yes)

Re: Ok to let all ICMP traffic through firewall?

Post removed (X-No-Archive: yes)

Re: Ok to let all ICMP traffic through firewall?

Post removed (X-No-Archive: yes)

Re: Ok to let all ICMP traffic through firewall?

Post removed (X-No-Archive: yes)

Re: Ok to let all ICMP traffic through firewall?

Post removed (X-No-Archive: yes)

Re: Ok to let all ICMP traffic through firewall?

Post removed (X-No-Archive: yes)

Re: Ok to let all ICMP traffic through firewall?

Post removed (X-No-Archive: yes)

Re: Ok to let all ICMP traffic through firewall?

Post removed (X-No-Archive: yes)

Re: Ok to let all ICMP traffic through firewall?

"Leythos" wrote in message
news:MPG.1d9f8e2789e1e72a98a110@news-server.columbus.rr.com. ..
> In article , abuse@[127.0.0.1]
> says...
> > Like most non-ISPs, I don't have a dedicated 24x7 staff to monitor
systems
> > (this is a home network, before someone starts slinging companies that
*do*
> > have this requirement).
>
> Like I've said many times before - ICMP is exposed to partner
> sites/companies, blocked to the rest of the world. If we have no
> communications need with you then we don't expose anything to you.
>
> Your example of Ping would fall into a business need - so there would be
> a rule exception allowing PING from your designated monitoring service.

Actually, it's not that simple (I'll stress again that this is *my*
particular need, but not one that is particularly uncommon)

My monitoring service is me, with either my phone or a laptop.

I need to be able to connect from a variety of countries, and a (for my
purposes) essentially random series of ISPs and routing networks.

I understand completely that this isn't the same as /your/ need - you are
obviously providing a specific service to a very geographically limited set
of known users. Although I'd be wary, once one of them attempts DR. 'Tis
amazing what comes out of the woodwork when that happens... I've had to do
it for real, courtesy of the PIRA.

H1K

Re: Ok to let all ICMP traffic through firewall?

"Leythos" wrote in message
news:MPG.1d9f8e2789e1e72a98a110@news-server.columbus.rr.com. ..
> In article , abuse@[127.0.0.1]
> says...
> > Like most non-ISPs, I don't have a dedicated 24x7 staff to monitor
systems
> > (this is a home network, before someone starts slinging companies that
*do*
> > have this requirement).
>
> Like I've said many times before - ICMP is exposed to partner
> sites/companies, blocked to the rest of the world. If we have no
> communications need with you then we don't expose anything to you.
>
> Your example of Ping would fall into a business need - so there would be
> a rule exception allowing PING from your designated monitoring service.

Actually, it's not that simple (I'll stress again that this is *my*
particular need, but not one that is particularly uncommon)

My monitoring service is me, with either my phone or a laptop.

I need to be able to connect from a variety of countries, and a (for my
purposes) essentially random series of ISPs and routing networks.

I understand completely that this isn't the same as /your/ need - you are
obviously providing a specific service to a very geographically limited set
of known users. Although I'd be wary, once one of them attempts DR. 'Tis
amazing what comes out of the woodwork when that happens... I've had to do
it for real, courtesy of the PIRA.

H1K

Re: Ok to let all ICMP traffic through firewall?

In article ,
Dave Dowson wrote:
:Tell me - what is the risk of sending an ICMP packet to anyone?
:You've said that you block such responses - but why? What is the risk
:you perceive in sending a messages which (in general) does not require
:a response and so cannot have any impact on your network? Or are you
:suggesting that your networks are so insecure that you need to protect
:them from things that would not even be a threat to the clueless
:newbie home computer user?

There was an attack publicized within the last few years, in
which attackers sent ICMP Network Redirect and Host Redirect
(which don't require responses...) specifying IP addresses
of major banking sites. Networks whose administrators were not
blocking ICMP Redirects had their users redirected to clone
sites made to -look- like the banking sites, but which copied
the username and passwords entered; the perpetrators then
proceeded to steal from peoples' bank accounts and credit cards.
--
If you like, you can repeat the search with the omitted results included.

Re: Ok to let all ICMP traffic through firewall?

In article ,
Dave Dowson wrote:
:Tell me - what is the risk of sending an ICMP packet to anyone?
:You've said that you block such responses - but why? What is the risk
:you perceive in sending a messages which (in general) does not require
:a response and so cannot have any impact on your network? Or are you
:suggesting that your networks are so insecure that you need to protect
:them from things that would not even be a threat to the clueless
:newbie home computer user?

There was an attack publicized within the last few years, in
which attackers sent ICMP Network Redirect and Host Redirect
(which don't require responses...) specifying IP addresses
of major banking sites. Networks whose administrators were not
blocking ICMP Redirects had their users redirected to clone
sites made to -look- like the banking sites, but which copied
the username and passwords entered; the perpetrators then
proceeded to steal from peoples' bank accounts and credit cards.
--
If you like, you can repeat the search with the omitted results included.

Re: Ok to let all ICMP traffic through firewall?

In article ,
Leythos wrote:
>Which does not change the fact that I can limit ICMP to my non-partners
>without impact on our communications.

I'm sorry but I don't think you know what you're talking about. As
you've previously quoted, without apparently understanding it, ICMP is
predominantly a mechanism for reporting an error in IP. If you block it,
and don't (or rarely) have an error at the IP level, then your setup
will work - beacause there are no errors and ICMP simply isn't
involved. If an error should occur then your blocking of ICMP could
then prevent you from detecting and diagnosing faults, or allowing your
application(s) to handle them.

But it's your setup, and I think we'll just have to agree to differ.

Mike

Re: Ok to let all ICMP traffic through firewall?

In article ,
Leythos wrote:
>Which does not change the fact that I can limit ICMP to my non-partners
>without impact on our communications.

I'm sorry but I don't think you know what you're talking about. As
you've previously quoted, without apparently understanding it, ICMP is
predominantly a mechanism for reporting an error in IP. If you block it,
and don't (or rarely) have an error at the IP level, then your setup
will work - beacause there are no errors and ICMP simply isn't
involved. If an error should occur then your blocking of ICMP could
then prevent you from detecting and diagnosing faults, or allowing your
application(s) to handle them.

But it's your setup, and I think we'll just have to agree to differ.

Mike

Re: Ok to let all ICMP traffic through firewall?

Post removed (X-No-Archive: yes)

Re: Ok to let all ICMP traffic through firewall?

Post removed (X-No-Archive: yes)

Re: Ok to let all ICMP traffic through firewall?

jameshanley39@yahoo.co.uk wrote:
> And
> it's pointless to stealth if they're not going to block ICMP too.

It's pointless to "stealth" anyway. nmap -P0 exists.

> If they're trying to make themselves invisible, and they stealth their
> ports, then blocking ICMP is very relevant.

No.

> By the way. how can nmap test if a port is stealthed, whereas people
> complain saying online scanners cannot say a port is stealthed?

Because people are complaining wrong things.

> If
> stealth gives no response whatsoever, then surely 'unable to determine'
> is the best that either an onlien scanner or nmap can give.

Because there will come an ICMP type 3 with code 0 or 1, if there is no
host, and there is coming no such packet, there is a host. Because there
is no TCP RST and no ICMP type 3 with code 3 coming back, the port is
"stealthed".

The ICMP packages are not send by the host itself, but by the router
before.

Please read RFC 792.

Yours,
VB.
--
"Es kann nicht sein, dass die Frustrierten in Rom bestimmen, was in
deutschen Schlafzimmern passiert".
Harald Schmidt zum "Weltjugendtag"

Re: Ok to let all ICMP traffic through firewall?

In comp.security.firewalls Walter Roberson wrote:
> There was an attack publicized within the last few years, in
> which attackers sent ICMP Network Redirect and Host Redirect
> (which don't require responses...) specifying IP addresses

Yes. This is the reason to filter redirects.

Yours,
VB.
--
"Es kann nicht sein, dass die Frustrierten in Rom bestimmen, was in
deutschen Schlafzimmern passiert".
Harald Schmidt zum "Weltjugendtag"

Re: Ok to let all ICMP traffic through firewall?

In comp.security.firewalls Walter Roberson wrote:
> There was an attack publicized within the last few years, in
> which attackers sent ICMP Network Redirect and Host Redirect
> (which don't require responses...) specifying IP addresses

Yes. This is the reason to filter redirects.

Yours,
VB.
--
"Es kann nicht sein, dass die Frustrierten in Rom bestimmen, was in
deutschen Schlafzimmern passiert".
Harald Schmidt zum "Weltjugendtag"

Re: Ok to let all ICMP traffic through firewall?

Dave Dowson wrote:
> On Sat, 24 Sep 2005 21:21:52 GMT, Leythos
> wrote:
>
>
>>Now do you understand - it's actually rather simple - the "users" that
>>need to have ICMP responses form our networks get it, ones that don't do
>>not get it.
>
>
> Hang on a minute, so now you are saying that you block outgoing ICMP
> (i.e. responses) ito selected parties - earlier you said you blocked
> incoming ICMP. So maybe you block both.
>
> Tell me - what is the risk of sending an ICMP packet to anyone?
> You've said that you block such responses - but why? What is the risk
> you perceive in sending a messages which (in general) does not require
> a response and so cannot have any impact on your network?

Hopefully I'm not going to stray too far from the subject of ICMPs, but
I feel there could be a risk in allowing any IP packet to be sent to
anyone. No, it's not a general risk to your network because they
couldn't infect a machine on your network. But, they could be a
liability risk or just a risk of embarrassment.

For instance, what if a user on your internal network has knowledge of
malware that used covert channels to receive it's instructions about
what to do? Then, that user used that knowledge to attack someone
else's network. Or, a machine on your network is infected with this
type of malware and is used in an attack because it received
instructions over a covert channel.

> Or are you
> suggesting that your networks are so insecure that you need to protect
> them from things that would not even be a threat to the clueless
> newbie home computer user?

That sounds like layered security to me. Why expose one thing just
because you think everything behind it is secured?

>
> And no, I don't understand your screwed up interpretation of the risks
> associated with what is a relatively simple out-of-band signalling
> protocol.

There are ways to send information or instructions to processes
listening on systems that allow any IP packet. It could be in an ICMP
or TCP or UDP or ESP or GRE (doesn't matter) payload. But, it doesn't
have to be in the payload. It could just be the timing between the
packets. It could be a particular sequence of IP IDs. Or, the use of
still undefined or experimental IP options.

But on a practical note, when it comes to ICMPs, I tend to block
everything except errors that are related to established connections.
But, that's just me. Obviously, there are many opinions on this subject.

Mark

Re: Ok to let all ICMP traffic through firewall?

Dave Dowson wrote:
> On Sat, 24 Sep 2005 21:21:52 GMT, Leythos
> wrote:
>
>
>>Now do you understand - it's actually rather simple - the "users" that
>>need to have ICMP responses form our networks get it, ones that don't do
>>not get it.
>
>
> Hang on a minute, so now you are saying that you block outgoing ICMP
> (i.e. responses) ito selected parties - earlier you said you blocked
> incoming ICMP. So maybe you block both.
>
> Tell me - what is the risk of sending an ICMP packet to anyone?
> You've said that you block such responses - but why? What is the risk
> you perceive in sending a messages which (in general) does not require
> a response and so cannot have any impact on your network?

Hopefully I'm not going to stray too far from the subject of ICMPs, but
I feel there could be a risk in allowing any IP packet to be sent to
anyone. No, it's not a general risk to your network because they
couldn't infect a machine on your network. But, they could be a
liability risk or just a risk of embarrassment.

For instance, what if a user on your internal network has knowledge of
malware that used covert channels to receive it's instructions about
what to do? Then, that user used that knowledge to attack someone
else's network. Or, a machine on your network is infected with this
type of malware and is used in an attack because it received
instructions over a covert channel.

> Or are you
> suggesting that your networks are so insecure that you need to protect
> them from things that would not even be a threat to the clueless
> newbie home computer user?

That sounds like layered security to me. Why expose one thing just
because you think everything behind it is secured?

>
> And no, I don't understand your screwed up interpretation of the risks
> associated with what is a relatively simple out-of-band signalling
> protocol.

There are ways to send information or instructions to processes
listening on systems that allow any IP packet. It could be in an ICMP
or TCP or UDP or ESP or GRE (doesn't matter) payload. But, it doesn't
have to be in the payload. It could just be the timing between the
packets. It could be a particular sequence of IP IDs. Or, the use of
still undefined or experimental IP options.

But on a practical note, when it comes to ICMPs, I tend to block
everything except errors that are related to established connections.
But, that's just me. Obviously, there are many opinions on this subject.

Mark

Re: Ok to let all ICMP traffic through firewall?

"Leythos" wrote in message
news:MPG.1d9e1b2addd7c42198a107@news-server.columbus.rr.com. ..
> In article , dima@
> 127.0.0.1 says...
> > Leythos sez:
> > > In article , dima@
> > > 127.0.0.1 says...
> > ...
> > >> > Then, when we're running along for the last few years, blocking all
ICMP
> > >> > inbound and at the firewall, what are we denying ourselves?

You just make diagnosis more difficult when things go wrong obviously, since
you can't ping. Also some devices that use ping for link monitoring will be
unhappy and need to be reconfigured or will have reduced functionality. If
you can live with this, and many people can, there is no big cost to you, to
block all ping at the firewall.

For example when ISP's block ping, it drives me crazy because when I deploy
NetScreens in the field with failover internet connections, they need to use
ping to determine if the link is up. So I can't enable failover when the
ISP blocks ping. Inevitably somebody re-enables auto failover detection and
it immediately fails over to dialup because it thinks the highspeed link is
down...

-Russ.

Re: Ok to let all ICMP traffic through firewall?

"Leythos" wrote in message
news:MPG.1d9e1b2addd7c42198a107@news-server.columbus.rr.com. ..
> In article , dima@
> 127.0.0.1 says...
> > Leythos sez:
> > > In article , dima@
> > > 127.0.0.1 says...
> > ...
> > >> > Then, when we're running along for the last few years, blocking all
ICMP
> > >> > inbound and at the firewall, what are we denying ourselves?

You just make diagnosis more difficult when things go wrong obviously, since
you can't ping. Also some devices that use ping for link monitoring will be
unhappy and need to be reconfigured or will have reduced functionality. If
you can live with this, and many people can, there is no big cost to you, to
block all ping at the firewall.

For example when ISP's block ping, it drives me crazy because when I deploy
NetScreens in the field with failover internet connections, they need to use
ping to determine if the link is up. So I can't enable failover when the
ISP blocks ping. Inevitably somebody re-enables auto failover detection and
it immediately fails over to dialup because it thinks the highspeed link is
down...

-Russ.

Re: Ok to let all ICMP traffic through firewall?

Post removed (X-No-Archive: yes)

Re: Ok to let all ICMP traffic through firewall?

Post removed (X-No-Archive: yes)

Re: Ok to let all ICMP traffic through firewall?

Post removed (X-No-Archive: yes)

Re: Ok to let all ICMP traffic through firewall?

Post removed (X-No-Archive: yes)

Re: Ok to let all ICMP traffic through firewall?

Post removed (X-No-Archive: yes)

Re: Ok to let all ICMP traffic through firewall?

Post removed (X-No-Archive: yes)

Re: Ok to let all ICMP traffic through firewall?

On 22 Sep 2005 18:34:30 -0700, jameshanley39@yahoo.co.uk wrote:

>ping is a very convenient diagnostic tool.

Speaking of pinging:

http://www.worldnetdaily.com/news/article.asp?ARTICLE_ID=465 01

Art

http://home.epix.net/~artnpeg

Re: Ok to let all ICMP traffic through firewall?

On 22 Sep 2005 18:34:30 -0700, jameshanley39@yahoo.co.uk wrote:

>ping is a very convenient diagnostic tool.

Speaking of pinging:

http://www.worldnetdaily.com/news/article.asp?ARTICLE_ID=465 01

Art

http://home.epix.net/~artnpeg

Re: Ok to let all ICMP traffic through firewall?

jameshanley39@yahoo.co.uk said:
>Peter Boosten wrote:
>> In comp.security.firewalls Mark wrote:
>> >
>> >
>> > Yes it is, ever heard of PING NMAP?
>> >
>> > Google it and security and firewalls.
>> >
>>
>> or PING of Death?
>>
>that is indeed a logical reason to block ping. One wouldn't expect An
>error in the ICMP protocol. But, ping of death, is probably an error
>in the software handling ICMP, rather than the ICMP protocol itself.

Pretty often the protocols themselves are solid (protocols as in protocol
definitions), but implementations are faulty - just as in the case of
ping-of-death.

The same goes for various ftp implementations, some ssh implementations,
some web server implementations, ... . Now, it's rather easy to disable
an unneeded ftp server (as to why it was enabled anyway - f.ex. that
was the vendor default, and the person doing the system installation
didn't think enough to disable it). But how do you disable ICMP handling?
You turn off the machine, more or less.

This is why you only let in those ICMP packets that affect your own
communications. F.ex., inbound ICMP echo-requests are prohibited (unless
you're facing a site that does an echo-request every time you connect
to it); allowed are only such ICMP echo replies which correspond to
a recent outbound ICMP echo request, and so on.

So, ICMP is good and needed (just as inbound TCP ack's are needed), for
such sessions that are known to exist. Rest of ICMP is noise which is
best ignored at network boundary. Just to give yourself a little more
time to patch when someone finds a new critical fault somewhere in the
network infrastructure code.

Speaking of allow/disallow, allow the things you know you need, don't
deny things you know you don't need. If you go the "deny" path, you
may overlook things like IP subprotocols other than the common three
(TCP, UDP, ICMP) - just because you didn't pay attention to the multiple
other values there can be in the subprotocol field.
--
Wolf a.k.a. Juha Laiho Espoo, Finland
(GC 3.0) GIT d- s+: a C++ ULSH++++$ P++@ L+++ E- W+$@ N++ !K w !O !M V
PS(+) PE Y+ PGP(+) t- 5 !X R !tv b+ !DI D G e+ h---- r+++ y++++
"...cancel my subscription to the resurrection!" (Jim Morrison)

Re: Ok to let all ICMP traffic through firewall?

jameshanley39@yahoo.co.uk said:
>Peter Boosten wrote:
>> In comp.security.firewalls Mark wrote:
>> >
>> >
>> > Yes it is, ever heard of PING NMAP?
>> >
>> > Google it and security and firewalls.
>> >
>>
>> or PING of Death?
>>
>that is indeed a logical reason to block ping. One wouldn't expect An
>error in the ICMP protocol. But, ping of death, is probably an error
>in the software handling ICMP, rather than the ICMP protocol itself.

Pretty often the protocols themselves are solid (protocols as in protocol
definitions), but implementations are faulty - just as in the case of
ping-of-death.

The same goes for various ftp implementations, some ssh implementations,
some web server implementations, ... . Now, it's rather easy to disable
an unneeded ftp server (as to why it was enabled anyway - f.ex. that
was the vendor default, and the person doing the system installation
didn't think enough to disable it). But how do you disable ICMP handling?
You turn off the machine, more or less.

This is why you only let in those ICMP packets that affect your own
communications. F.ex., inbound ICMP echo-requests are prohibited (unless
you're facing a site that does an echo-request every time you connect
to it); allowed are only such ICMP echo replies which correspond to
a recent outbound ICMP echo request, and so on.

So, ICMP is good and needed (just as inbound TCP ack's are needed), for
such sessions that are known to exist. Rest of ICMP is noise which is
best ignored at network boundary. Just to give yourself a little more
time to patch when someone finds a new critical fault somewhere in the
network infrastructure code.

Speaking of allow/disallow, allow the things you know you need, don't
deny things you know you don't need. If you go the "deny" path, you
may overlook things like IP subprotocols other than the common three
(TCP, UDP, ICMP) - just because you didn't pay attention to the multiple
other values there can be in the subprotocol field.
--
Wolf a.k.a. Juha Laiho Espoo, Finland
(GC 3.0) GIT d- s+: a C++ ULSH++++$ P++@ L+++ E- W+$@ N++ !K w !O !M V
PS(+) PE Y+ PGP(+) t- 5 !X R !tv b+ !DI D G e+ h---- r+++ y++++
"...cancel my subscription to the resurrection!" (Jim Morrison)

Re: Ok to let all ICMP traffic through firewall?

Leythos said:
>As with most ISP provided devices, you get a Cable or DSP modem when you
>get service from them - or a router if a T1, but not many home users
>have T1's.

By the way, that may vary a lot geographically. F.ex. here it's more
common that customers buy their own hardware. ISPs may have recommendation
lists (or lists of supported hardware), but the lists are not exclusive.
Using something outside the list just means that the ISP support has
never seen such a box, and doesn't have a ready configuration/help
sheet for it.
--
Wolf a.k.a. Juha Laiho Espoo, Finland
(GC 3.0) GIT d- s+: a C++ ULSH++++$ P++@ L+++ E- W+$@ N++ !K w !O !M V
PS(+) PE Y+ PGP(+) t- 5 !X R !tv b+ !DI D G e+ h---- r+++ y++++
"...cancel my subscription to the resurrection!" (Jim Morrison)

Re: Ok to let all ICMP traffic through firewall?

Leythos said:
>As with most ISP provided devices, you get a Cable or DSP modem when you
>get service from them - or a router if a T1, but not many home users
>have T1's.

By the way, that may vary a lot geographically. F.ex. here it's more
common that customers buy their own hardware. ISPs may have recommendation
lists (or lists of supported hardware), but the lists are not exclusive.
Using something outside the list just means that the ISP support has
never seen such a box, and doesn't have a ready configuration/help
sheet for it.
--
Wolf a.k.a. Juha Laiho Espoo, Finland
(GC 3.0) GIT d- s+: a C++ ULSH++++$ P++@ L+++ E- W+$@ N++ !K w !O !M V
PS(+) PE Y+ PGP(+) t- 5 !X R !tv b+ !DI D G e+ h---- r+++ y++++
"...cancel my subscription to the resurrection!" (Jim Morrison)

Re: Ok to let all ICMP traffic through firewall?

"Leythos" wrote in message
news:MPG.1d9fb675753739dd98a11b@news-server.columbus.rr.com. ..
> In article , abuse@[127.0.0.1]
> says...
> > Actually, it's not that simple (I'll stress again that this is *my*
> > particular need, but not one that is particularly uncommon)
> >
> > My monitoring service is me, with either my phone or a laptop.
> >
> > I need to be able to connect from a variety of countries, and a (for my
> > purposes) essentially random series of ISPs and routing networks.
>
> Are you unable to connect via VPN of some form?

Correct.

And, in any case, any way of swooping into the DMZ is a much more
significant hole than allowing an ICMP Ping...

The network is generally stable (a daemon abend a year, if that), but is
hosted via what is officially a dynamic IP address.

Some ISPs seem to block access on a variety of ports. Ping can be dead
useful in those sort of situations... I managed to run the demo I needed (me
in US, machine in UK) by running through a different port (technically
hosting a different site, but running a near-enough software level to the
"proper" demo).

I doubt that I would have remembered that redirected site was there, but for
getting a positive Ping with a negative "Internet" response on ports 80 and
443. ISP-specific blocking as it turned out (broken in Dallas, fine in
Chicago)

H1K

Re: Ok to let all ICMP traffic through firewall?

"Leythos" wrote in message
news:MPG.1d9fb675753739dd98a11b@news-server.columbus.rr.com. ..
> In article , abuse@[127.0.0.1]
> says...
> > Actually, it's not that simple (I'll stress again that this is *my*
> > particular need, but not one that is particularly uncommon)
> >
> > My monitoring service is me, with either my phone or a laptop.
> >
> > I need to be able to connect from a variety of countries, and a (for my
> > purposes) essentially random series of ISPs and routing networks.
>
> Are you unable to connect via VPN of some form?

Correct.

And, in any case, any way of swooping into the DMZ is a much more
significant hole than allowing an ICMP Ping...

The network is generally stable (a daemon abend a year, if that), but is
hosted via what is officially a dynamic IP address.

Some ISPs seem to block access on a variety of ports. Ping can be dead
useful in those sort of situations... I managed to run the demo I needed (me
in US, machine in UK) by running through a different port (technically
hosting a different site, but running a near-enough software level to the
"proper" demo).

I doubt that I would have remembered that redirected site was there, but for
getting a positive Ping with a negative "Internet" response on ports 80 and
443. ISP-specific blocking as it turned out (broken in Dallas, fine in
Chicago)

H1K

Re: Ok to let all ICMP traffic through firewall?

In article ,
Leythos wrote:
>What parts are you missing about ICMP being permitted for PARTNERS?

OK, perhaps I'm not explaining myself well. I'm assuming from your
statements that you allow ICMP _only_ between permitted endpoints, yes?

If so, under what error scenarios do you think the endpoints are going
to need to send ICMP packets to each other?

Now consider the routers along any one of the potential paths between
your endpoints. In certain circumstances these devices could want to
advise you of IP error events and will send ICMP packets to you. These
ICMP packets will have an originating address not of your endpoints,
and you will therefore block them. Correct?

Mike

Re: Ok to let all ICMP traffic through firewall?

In article ,
Leythos wrote:
>What parts are you missing about ICMP being permitted for PARTNERS?

OK, perhaps I'm not explaining myself well. I'm assuming from your
statements that you allow ICMP _only_ between permitted endpoints, yes?

If so, under what error scenarios do you think the endpoints are going
to need to send ICMP packets to each other?

Now consider the routers along any one of the potential paths between
your endpoints. In certain circumstances these devices could want to
advise you of IP error events and will send ICMP packets to you. These
ICMP packets will have an originating address not of your endpoints,
and you will therefore block them. Correct?

Mike

Re: Ok to let all ICMP traffic through firewall?

Post removed (X-No-Archive: yes)

Re: Ok to let all ICMP traffic through firewall?

Post removed (X-No-Archive: yes)

Re: Ok to let all ICMP traffic through firewall?

Post removed (X-No-Archive: yes)

Re: Ok to let all ICMP traffic through firewall?

Post removed (X-No-Archive: yes)

Re: Ok to let all ICMP traffic through firewall?

Post removed (X-No-Archive: yes)

Re: Ok to let all ICMP traffic through firewall?

Post removed (X-No-Archive: yes)

Re: Ok to let all ICMP traffic through firewall?

You totally missed the point of what Dave Civil was trying to say!!

Leythos wrote:
> In article , a031003
> ${dd}.nospam@ddka.invalid says...
>
>>On Sun, 25 Sep 2005 20:09:12 GMT, Leythos
>> wrote:
>>
>>
>>>Errors are not fixed by ICMP and are not going to cause a failure in
>>>communications. You can still get the data.
>>
>>Errors may not be "fixed" by ICMP but ICMP may just tell you what you need to
>>do in order to fix something - e.g. ICMP type 3 codes 4, 11 and 12. If you
>>trash the ICMP response then you may end up with a failed connection which
>>would have otherwise worked without any problem - so no - ignoring ICMP does
>>not mean that you still get the data in all circumstances.
>
>
> I agree, but since we allow ICMP to approved sites/connections, but
> block it to the rest of the world, it doesn't really matter if there is
> a problem for the blocked ones - see the point now?
>

Re: Ok to let all ICMP traffic through firewall?

You totally missed the point of what Dave Civil was trying to say!!

Leythos wrote:
> In article , a031003
> ${dd}.nospam@ddka.invalid says...
>
>>On Sun, 25 Sep 2005 20:09:12 GMT, Leythos
>> wrote:
>>
>>
>>>Errors are not fixed by ICMP and are not going to cause a failure in
>>>communications. You can still get the data.
>>
>>Errors may not be "fixed" by ICMP but ICMP may just tell you what you need to
>>do in order to fix something - e.g. ICMP type 3 codes 4, 11 and 12. If you
>>trash the ICMP response then you may end up with a failed connection which
>>would have otherwise worked without any problem - so no - ignoring ICMP does
>>not mean that you still get the data in all circumstances.
>
>
> I agree, but since we allow ICMP to approved sites/connections, but
> block it to the rest of the world, it doesn't really matter if there is
> a problem for the blocked ones - see the point now?
>

Re: Ok to let all ICMP traffic through firewall?

In article ,
Leythos wrote:
>Errors are not fixed by ICMP and are not going to cause a failure in
>communications. You can still get the data.

What the hell are you talking about, or are you being deliberately
obtuse? At some time in the future your company may be in a position
where data isn't getting through because of a problem in the intervening
path, and the the only way an intermediate device can advise you of the
reason is by sending ICMP. Which it sounds like you are filtering out.

Mike

Re: Ok to let all ICMP traffic through firewall?

In article ,
Leythos wrote:
>Errors are not fixed by ICMP and are not going to cause a failure in
>communications. You can still get the data.

What the hell are you talking about, or are you being deliberately
obtuse? At some time in the future your company may be in a position
where data isn't getting through because of a problem in the intervening
path, and the the only way an intermediate device can advise you of the
reason is by sending ICMP. Which it sounds like you are filtering out.

Mike

Re: Ok to let all ICMP traffic through firewall?

Post removed (X-No-Archive: yes)

Re: Ok to let all ICMP traffic through firewall?

Post removed (X-No-Archive: yes)

Re: Ok to let all ICMP traffic through firewall?

Post removed (X-No-Archive: yes)

Re: Ok to let all ICMP traffic through firewall?

Post removed (X-No-Archive: yes)

Re: Ok to let all ICMP traffic through firewall?

In article ,
Mike Civil wrote:
:What the hell are you talking about, or are you being deliberately
:obtuse? At some time in the future your company may be in a position
:where data isn't getting through because of a problem in the intervening
:path, and the the only way an intermediate device can advise you of the
:reason is by sending ICMP. Which it sounds like you are filtering out.

If the routing infrastructure he is using enters a routing loop, then

a) there is a substantial chance that the ICMP TTL Exceeded won't
get back either; and

b) the NOC for the intrastructure is likely going to find out and act on it
faster than he would get a page saying "TTL exceeded" and log in
and track down the cause and call the NOC.

If the routing infrastructure does not enter a routing loop, but loses
the route, then if he has multiple routes then his routing protocol
is going to notice the problem and adjust automatically. There are no
routing protocols that I can think of that use icmp to determine whether
the routing is working or not.

If the route is lost and he has only a single route, then his monitoring
software is going to stop hearing back from the other side, and he
will get an appropriate notification and will investigate. That
investigation might be helped by the availability of icmp; if so
then he can turn reception of icmp on at the time.
--
When Love is gone, there's always Justice.
When Justice is gone, there's always Force.
When Force is gone, there's always Mom. -- Laurie Anderson

Re: Ok to let all ICMP traffic through firewall?

In article ,
Mike Civil wrote:
:What the hell are you talking about, or are you being deliberately
:obtuse? At some time in the future your company may be in a position
:where data isn't getting through because of a problem in the intervening
:path, and the the only way an intermediate device can advise you of the
:reason is by sending ICMP. Which it sounds like you are filtering out.

If the routing infrastructure he is using enters a routing loop, then

a) there is a substantial chance that the ICMP TTL Exceeded won't
get back either; and

b) the NOC for the intrastructure is likely going to find out and act on it
faster than he would get a page saying "TTL exceeded" and log in
and track down the cause and call the NOC.

If the routing infrastructure does not enter a routing loop, but loses
the route, then if he has multiple routes then his routing protocol
is going to notice the problem and adjust automatically. There are no
routing protocols that I can think of that use icmp to determine whether
the routing is working or not.

If the route is lost and he has only a single route, then his monitoring
software is going to stop hearing back from the other side, and he
will get an appropriate notification and will investigate. That
investigation might be helped by the availability of icmp; if so
then he can turn reception of icmp on at the time.
--
When Love is gone, there's always Justice.
When Justice is gone, there's always Force.
When Force is gone, there's always Mom. -- Laurie Anderson

Re: Ok to let all ICMP traffic through firewall?

In article <433635a6@news.uni-ulm.de>, Volker Birk wrote:
>jameshanley39@yahoo.co.uk wrote:

>> If
>> stealth gives no response whatsoever, then surely 'unable to determine'
>> is the best that either an onlien scanner or nmap can give.

>Because there will come an ICMP type 3 with code 0 or 1, if there is no
>host, and there is coming no such packet, there is a host. Because there
>is no TCP RST and no ICMP type 3 with code 3 coming back, the port is
>"stealthed".

If you get no answer, all you know is that -something- along the way
either did not generate a response or else that something dropped
the response. That "something" is not necessarily the end host.

Our firewall drops icmp echo packets to hosts we don't permit echo
to. No response is generated at all. That doesn't tell you whether
the host exists or not.
--
University of Calgary researcher Christopher Auld has found that
milk is the most "rational addiction" amongst the several studied.

Re: Ok to let all ICMP traffic through firewall?

In comp.security.firewalls Art wrote:
> http://www.worldnetdaily.com/news/article.asp?ARTICLE_ID=465 01

if this really works with latency times, then it's no danger for
Tor or AN.ON.

Yours,
VB.
--
"Es kann nicht sein, dass die Frustrierten in Rom bestimmen, was in
deutschen Schlafzimmern passiert".
Harald Schmidt zum "Weltjugendtag"

Re: Ok to let all ICMP traffic through firewall?

In comp.security.firewalls Art wrote:
> http://www.worldnetdaily.com/news/article.asp?ARTICLE_ID=465 01

if this really works with latency times, then it's no danger for
Tor or AN.ON.

Yours,
VB.
--
"Es kann nicht sein, dass die Frustrierten in Rom bestimmen, was in
deutschen Schlafzimmern passiert".
Harald Schmidt zum "Weltjugendtag"

Re: Ok to let all ICMP traffic through firewall?

Walter Roberson wrote:
> If you get no answer, all you know is that -something- along the way
> either did not generate a response or else that something dropped
> the response. That "something" is not necessarily the end host.

Yes, of course. And if I send IP packets over a line, where the other
hosts only understand IPX, then I will not get a response either. But
what should that explain?

We're talking about the TCP/IP protocol family here, aren't we?

> Our firewall drops icmp echo packets to hosts we don't permit echo
> to. No response is generated at all. That doesn't tell you whether
> the host exists or not.

And we're not talking about ICMP echo.

Yours,
VB.
--
"Es kann nicht sein, dass die Frustrierten in Rom bestimmen, was in
deutschen Schlafzimmern passiert".
Harald Schmidt zum "Weltjugendtag"

Re: Ok to let all ICMP traffic through firewall?

Art wrote:
[...]
> Speaking of pinging:
> http://www.worldnetdaily.com/news/article.asp?ARTICLE_ID=465 01

Where does it say that the NSA's patent requires ICMP pings?

Without reading the patent, I'd put money on it using all forms of IP
traffic rather than just a specific protocol.

--
PGP key ID E85DC776 - finger abuse@mooli.org.uk for full key
/:.*posting.google.com.*/HX-Trace:+j

Re: Ok to let all ICMP traffic through firewall?

Art wrote:
[...]
> Speaking of pinging:
> http://www.worldnetdaily.com/news/article.asp?ARTICLE_ID=465 01

Where does it say that the NSA's patent requires ICMP pings?

Without reading the patent, I'd put money on it using all forms of IP
traffic rather than just a specific protocol.

--
PGP key ID E85DC776 - finger abuse@mooli.org.uk for full key
/:.*posting.google.com.*/HX-Trace:+j

Re: Ok to let all ICMP traffic through firewall?

Peter Boosten wrote:

> In comp.security.firewalls Mark wrote:
>
>>
>>Yes it is, ever heard of PING NMAP?
>>
>>Google it and security and firewalls.
>>
>
>
> or PING of Death?
>
My (hazy) memory seems to recall that the POD only affected the stack on
certain Win95 clients.
E.

Re: Ok to let all ICMP traffic through firewall?

Peter Boosten wrote:

> In comp.security.firewalls Mark wrote:
>
>>
>>Yes it is, ever heard of PING NMAP?
>>
>>Google it and security and firewalls.
>>
>
>
> or PING of Death?
>
My (hazy) memory seems to recall that the POD only affected the stack on
certain Win95 clients.
E.

Re: Ok to let all ICMP traffic through firewall?

Mike Civil wrote:

> In article ,
> Leythos wrote:
>
>>Errors are not fixed by ICMP and are not going to cause a failure in
>>communications. You can still get the data.
>
>
> What the hell are you talking about, or are you being deliberately
> obtuse? At some time in the future your company may be in a position
> where data isn't getting through because of a problem in the intervening
> path, and the the only way an intermediate device can advise you of the
> reason is by sending ICMP. Which it sounds like you are filtering out.
>
> Mike

A problem with an upstream route or router is in what is called an SEP
field: Someone Else's Problem. There is no way you could do anything
yourself to fix it as you don't have access. I have been in exactly the
situation you describe (random routing dropouts in a VPN path) and the
SEP rule applied. The solution was to contact the ISP that owned the box
(the E in SEP) and have them fix it.

The cause in this instance was a box on the border of 2 network types
(ADSL and VDSL) stopping routing properly between the 2 networks
whenever a techo from the VDSL backbone provider logged in to it.

The diagnosis for this obviously required echo replies back in. Also
having traceroute data for the path most traffic would take under normal
circumstances recorded to enable future diags. I basically rang the ISP
involved and said traffic from A to B is failing between boxes X and Y.

My understanding of Leythos' statements is that ICMP is allowed between
those he trusts, outbound is allowed, but unsolicited inbound from every
other sod on the planet is dropped. Which seems normal to me.

Interestingly enough, after the Welchia type worms that came out most,
if not all, ISP's blocked pings going into and out of their network
ranges in this country. Tracert is also badly affected, which makes
diagnostics a nightmare at times.
E.

Re: Ok to let all ICMP traffic through firewall?

Mike Civil wrote:

> In article ,
> Leythos wrote:
>
>>Errors are not fixed by ICMP and are not going to cause a failure in
>>communications. You can still get the data.
>
>
> What the hell are you talking about, or are you being deliberately
> obtuse? At some time in the future your company may be in a position
> where data isn't getting through because of a problem in the intervening
> path, and the the only way an intermediate device can advise you of the
> reason is by sending ICMP. Which it sounds like you are filtering out.
>
> Mike

A problem with an upstream route or router is in what is called an SEP
field: Someone Else's Problem. There is no way you could do anything
yourself to fix it as you don't have access. I have been in exactly the
situation you describe (random routing dropouts in a VPN path) and the
SEP rule applied. The solution was to contact the ISP that owned the box
(the E in SEP) and have them fix it.

The cause in this instance was a box on the border of 2 network types
(ADSL and VDSL) stopping routing properly between the 2 networks
whenever a techo from the VDSL backbone provider logged in to it.

The diagnosis for this obviously required echo replies back in. Also
having traceroute data for the path most traffic would take under normal
circumstances recorded to enable future diags. I basically rang the ISP
involved and said traffic from A to B is failing between boxes X and Y.

My understanding of Leythos' statements is that ICMP is allowed between
those he trusts, outbound is allowed, but unsolicited inbound from every
other sod on the planet is dropped. Which seems normal to me.

Interestingly enough, after the Welchia type worms that came out most,
if not all, ISP's blocked pings going into and out of their network
ranges in this country. Tracert is also badly affected, which makes
diagnostics a nightmare at times.
E.

Re: Ok to let all ICMP traffic through firewall?

In comp.security.misc E. wrote:
> > or PING of Death?
> My (hazy) memory seems to recall that the POD only affected the stack on
> certain Win95 clients.

This is wrong: http://www.insecure.org/sploits/ping-o-death.html

Yours,
VB.
--
MAC-Filtering bringt so viel Schutz vor "Hackern" wie Zeitungspapier vor
einer Atombome. (MAC filtering is protecting against "hackers" like newsprint
is protecting against a nuclear bomb)
- Christian Forler in de.comp.security.misc

Re: Ok to let all ICMP traffic through firewall?

In comp.security.misc E. wrote:
> > or PING of Death?
> My (hazy) memory seems to recall that the POD only affected the stack on
> certain Win95 clients.

This is wrong: http://www.insecure.org/sploits/ping-o-death.html

Yours,
VB.
--
MAC-Filtering bringt so viel Schutz vor "Hackern" wie Zeitungspapier vor
einer Atombome. (MAC filtering is protecting against "hackers" like newsprint
is protecting against a nuclear bomb)
- Christian Forler in de.comp.security.misc

Re: Ok to let all ICMP traffic through firewall?

Volker Birk wrote:

> In comp.security.misc E. wrote:
>
>>>or PING of Death?
>>
>>My (hazy) memory seems to recall that the POD only affected the stack on
>>certain Win95 clients.
>
>
> This is wrong: http://www.insecure.org/sploits/ping-o-death.html
>
> Yours,
> VB.

Yup. I did say hazy for a reason... Cheers for the heads-up.
E.

Re: Ok to let all ICMP traffic through firewall?

Volker Birk wrote:

> In comp.security.misc E. wrote:
>
>>>or PING of Death?
>>
>>My (hazy) memory seems to recall that the POD only affected the stack on
>>certain Win95 clients.
>
>
> This is wrong: http://www.insecure.org/sploits/ping-o-death.html
>
> Yours,
> VB.

Yup. I did say hazy for a reason... Cheers for the heads-up.
E.

Re: Ok to let all ICMP traffic through firewall?

On 23 Sep 2005 12:27:46 +0200, Volker Birk wrote:

>In comp.security.firewalls Franklin wrote:
>> My question is Should a firewall let all ICMP traffic through because
>> there is no real risk if they do?
>
>It does not need to let _all_ ICMP traffic through. But it would be a
>good idea not to deny every ICMP traffic.
>
>It is a good idea to allow at least ICMP messages of the
>types 0, 3, 4, 8, 11, 12, see RFC 792.

Since you recommend strongly the XP built in fire wall, what
connections do you mean? In this XP fire wall there are no numbers,
but only text explanations.

Klaas

Re: Ok to let all ICMP traffic through firewall?

Klaus Petrat wrote:
> >In comp.security.firewalls Franklin wrote:
> >> My question is Should a firewall let all ICMP traffic through because
> >> there is no real risk if they do?
> >It does not need to let _all_ ICMP traffic through. But it would be a
> >good idea not to deny every ICMP traffic.
> >It is a good idea to allow at least ICMP messages of the
> >types 0, 3, 4, 8, 11, 12, see RFC 792.
> Since you recommend strongly the XP built in fire wall, what
> connections do you mean? In this XP fire wall there are no numbers,
> but only text explanations.

I'm recommending the Windows-Firewall before using some "Personal Firewall"
with extra security flaws. Unfortunately, the Windows-Firewalls has some
flaws, too. They're not security related, though. For example, the Windows-
Firewall does DROP instead of REJECT, if you send SYN to a closed port.

To know which type of ICMP message means what, just read RFC 792, please.
You can find it here: http://www.rfc-editor.org

The related documentation for the Windows-Firewall you can find here:

http://msdn.microsoft.com/library/en-us/xpehelp/html/xeconco nfiguringicmpsettingsinwindowsfirewall.asp

Yours,
VB.
--
If class libraries are compared to animals, MFC is the slime-warts toad.

Re: Ok to let all ICMP traffic through firewall?

Klaus Petrat wrote:

>On 23 Sep 2005 12:27:46 +0200, Volker Birk wrote:
>
>
>
>>In comp.security.firewalls Franklin wrote:
>>
>>
>>>My question is Should a firewall let all ICMP traffic through because
>>>there is no real risk if they do?
>>>
>>>
>>It does not need to let _all_ ICMP traffic through. But it would be a
>>good idea not to deny every ICMP traffic.
>>
>>It is a good idea to allow at least ICMP messages of the
>>types 0, 3, 4, 8, 11, 12, see RFC 792.
>>
>>
>
>Since you recommend strongly the XP built in fire wall, what
>connections do you mean? In this XP fire wall there are no numbers,
>but only text explanations.
>
>

Don't use it. It does no good.

--
Godwin is a net-nazi

Re: Ok to let all ICMP traffic through firewall?

Quaestor wrote:
> >Since you recommend strongly the XP built in fire wall, what
> >connections do you mean? In this XP fire wall there are no numbers,
> >but only text explanations.
> Don't use it. It does no good.

Hm... just the same nonsense without any reasons or arguments.

"Leythos", did you change your nick name?

VB.
--
If class libraries are compared to animals, MFC is the slime-warts toad.

Re: Ok to let all ICMP traffic through firewall?

Post removed (X-No-Archive: yes)

Re: Ok to let all ICMP traffic through firewall?

Klaus Petrat wrote:
> On 23 Sep 2005 12:27:46 +0200, Volker Birk wrote:
>
> >In comp.security.firewalls Franklin wrote:
> >> My question is Should a firewall let all ICMP traffic through because
> >> there is no real risk if they do?
> >
> >It does not need to let _all_ ICMP traffic through. But it would be a
> >good idea not to deny every ICMP traffic.
> >
> >It is a good idea to allow at least ICMP messages of the
> >types 0, 3, 4, 8, 11, 12, see RFC 792.
>
> Since you recommend strongly the XP built in fire wall, what
> connections do you mean? In this XP fire wall there are no numbers,
> but only text explanations.
>
> Klaas

Most people that tlak about blocking a specific type of ICMP message
are very technical and probably don't use windows, i'm sure they have a
unix based system and their firewall is a standard unix one which has
advanced packet filtering (iptables?). They'd be using unix. And/Or
perhaps a quality HW firewall like Checkpoint or Watchguard (I don't
know if thsoe HW firewalls let you do advacned filtering but they
probably do). A windows firewall with advanced filtering would
certainly let you. But I wonder how many have advanced filtering

Amazingly, it seems that The Windows Firewall *does* actually let you
coose specific types of ICMP message to allow or block. I am not an
expert, infact the next chapter of the 2 books that I reading are
titled ICMP. And I haven't started that chapter in those books yet

Anyhow, let's see RFC 792 which describes ICMP,

ICMP has a code field and a type field. Both have values. VB refered to
the Type field.

--- ignore these codes, he only referred to type
Code
0 = net unreachable;
1 = host unreachable;
2 = protocol unreachable;
3 = port unreachable;
4 = fragmentation needed and DF set;
5 = source route failed.
--

code and type are diferent fields of ICMP

Here are Types

Summary of Message Types

0 Echo Reply
3 Destination Unreachable
4 Source Quench
5 Redirect
8 Echo
11 Time Exceeded
12 Parameter Problem
13 Timestamp
14 Timestamp Reply
15 Information Request
16 Information Reply


OK. So now you can go to the windows firewall and got o the advacned
tab. And far awy from Connection settings (We on't want connection
settings, that is for TCP and UDP).

See ICMP settings.

Click there, and you can see the textual descriptions and look at the
list pasted in here by myself from RFC 792, and block or allow what you
want.

But I warn you! It dosen't look so smart to do so if you don't know
what you're doing. I don't know either. And until I study ICMP, I'm
not going to touch it.

IT's really very rare for a ping attack. Long ago there was a pign of
death exploit, but I don't think that caused a buffer overflow, so it
just took the target computer down, i dont' think it gave the cracker
control.

Don't worry about people pinging you!

WHen I do study ICMP, I may try blocking or allowing different types
*for fun* just to se what errosr I get and learn how ICMP works.

Don't mess with settings like this, it's not worth it. Not unless you
know how it works. And ti won't give you much benefit either. This
thread is basically advanced ppl talking to advanced ppl!! By advanced,
it's for real rechies, and a prerequisite is knowing the ISO OSI
layers, knowing TCP/IP.

Re: Ok to let all ICMP traffic through firewall?

On 9 Oct 2005 10:22:09 -0700, jameshanley39@yahoo.co.uk wrote:

> Details about ICMP

Thank you for the additional information. My problem is now, that I
face during an evening several interruptings of my connection to the
internet. These problems began, I think, when I switched on the XP
fire wall. So I assumed, that my provider send messages like a ping to
see, if my pc is still on line. So I switched nearly all ICMP options
on, but it didn'd help. The following icmp-options are marked now as
accepted:

- Eingehende Echoanforderungen zulassen
Is it Echo or is it Echo reply ?
- Nicht verfügbares ausgehendes Ziel zulassen
Destination unreachable ?
- Ausgehende Zeitüberschreitung zulassen
Time exeeded ?
- Ausgehendes Parameterproblem zulassen
Parameter Problem ?

My Windows is a german version, so I have only the german texts of the
options available, sorry.

Klaas

Re: Ok to let all ICMP traffic through firewall?

Klaus Petrat wrote:
> On 9 Oct 2005 10:22:09 -0700, jameshanley39@yahoo.co.uk wrote:
>
> > Details about ICMP
>
> Thank you for the additional information. My problem is now, that I
> face during an evening several interruptings of my connection to the
> internet. These problems began, I think, when I switched on the XP
> fire wall. So I assumed, that my provider send messages like a ping to
> see, if my pc is still on line. So I switched nearly all ICMP options
> on, but it didn'd help. The following icmp-options are marked now as
> accepted:
>
> - Eingehende Echoanforderungen zulassen
> Is it Echo or is it Echo reply ?
> - Nicht verfügbares ausgehendes Ziel zulassen
> Destination unreachable ?
> - Ausgehende Zeitüberschreitung zulassen
> Time exeeded ?
> - Ausgehendes Parameterproblem zulassen
> Parameter Problem ?
>
> My Windows is a german version, so I have only the german texts of the
> options available, sorry.
>
> Klaas

ISP interruptions of service, probably nothing whatsoever to do with
ICMP.

and I would be suprised if there is that link you say. That when the
windows firewall is on you have problems.

you could try turning the windows firewall off, see if you still have
problems. but that can possibly be a bit of a security hazard. You
could try a different personal firewall. or shutdown any windows
services listening on 0.0.0.0 (netstat -an will list services).

Actually, if you're behind a home router, you can turn off the windows
firewall and you'll certainly be fine.

do start..run..cmd and type ipconfig, and see what ip address it
gives you. If it's like 192.168.0.1 then you're behind a home router.
so it's not so bad to turn off the windows firewall.

I think your diagnosis that the windows firewall being on causes
problems, might be a misdiagnosis. Maybe your ISP is just bad.

Key test of your diagnosis is to try without the windows firewall.

Your diagnosis isn't really a diagnosis because you just think you've
foudn a link between one thing and another thing (wuindows firewall adn
interruptions). you havent' really tested it(tried running without the
windows firewall). And you know of no reason (ICMP theory is not it),
why the windows firewall being on would cause interruption problems.

Bad Firewall settings don't cause interruption problems. THey either
block or allow. no temperamental behaviour there. And Firewalls that
don't work don't disconnect you, especially not temperamentally.

Do you have a router? may be it's faulty. It could be the router is
bad. Though usuaslly rouetrs have to be turned off and on to fix their
temperamental problems. If you just get an interruption temporarily,
that is starnge. Maybe you should investigate what you mean by an
interruption, whether you're completely knocked off the internet,
whether you have an ip from your 'home router'. e.t.c. what the
symprtoms of the interruption are.

Re: Ok to let all ICMP traffic through firewall?

Klaus Petrat wrote:
> My problem is now, that I
> face during an evening several interruptings of my connection to the
> internet. These problems began, I think, when I switched on the XP
> fire wall. So I assumed, that my provider send messages like a ping to
> see, if my pc is still on line.

I don't think so.

> - Eingehende Echoanforderungen zulassen
> Is it Echo or is it Echo reply ?

It is allowing echo and sending echo reply afterwards.

> - Nicht verfügbares ausgehendes Ziel zulassen
> Destination unreachable ?

Yes.

> - Ausgehende Zeitüberschreitung zulassen
> Time exeeded ?

Yes.

> - Ausgehendes Parameterproblem zulassen
> Parameter Problem ?

Yes.

Yours,
VB.
--
If class libraries are compared to animals, MFC is the slime-warts toad.

Re: Ok to let all ICMP traffic through firewall?

jameshanley39@yahoo.co.uk wrote:
> you could try turning the windows firewall off, see if you still have
> problems. but that can possibly be a bit of a security hazard.

Yes. Before doing this, the OP could use www.dingens.org to stop offering
services.

Yours,
VB.
--
If class libraries are compared to animals, MFC is the slime-warts toad.

Re: Ok to let all ICMP traffic through firewall?

Volker Birk wrote:
> jameshanley39@yahoo.co.uk wrote:
> > you could try turning the windows firewall off, see if you still have
> > problems. but that can possibly be a bit of a security hazard.
>
> Yes. Before doing this, the OP could use www.dingens.org to stop offering
> services.
>

there are side effects though. I vageuly recall running that, then at
one point, trying to start the windwos firewall - expecting the screen
to just come up, and it started loading something. It's not really
clear, for each service, what that program does to disable it. There
are side effects. Many services can be disabled with no side effects,
via adminsitrative tools.. So, what other services are there? there
can't be many.

Also, I didn't notice a restore option in that program at the time I
used it.

Say I were to manally disable the messenger service, and UPnP, and
disable file and print sharing (port 139), and what other services
are there? lsitening on 0.0.0.0 I guess there's NBTSTAT maybe(135)
but I don't know how to disable that noe. it'd be beter to turn these
off manually if possible. Or for the program to say exactly how it has
disabled the service, and what side effects there are.

There can onyl be a handful of services that cannot be easily disabled
manually. No reason for a whole program to do them and not list details
or even services running that it is disabling.

I think it's better for the user to just be educated on what services
cannot be turned off manually, and they just run a script that does
some registry hacks and warns of te side efects.

Steve gibson wonud me up with his "shoot the messenger" and his
program to disable plug and play. When thesecan be easily disabled in
windows. How many servies are left that windows runs and cannot be
disabled easily?!

Re: Ok to let all ICMP traffic through firewall?

jameshanley39@yahoo.co.uk wrote:
> Volker Birk wrote:
> > jameshanley39@yahoo.co.uk wrote:
> > > you could try turning the windows firewall off, see if you still have
> > > problems. but that can possibly be a bit of a security hazard.
> > Yes. Before doing this, the OP could use www.dingens.org to stop offering
> > services.
> there are side effects though. I vageuly recall running that, then at
> one point, trying to start the windwos firewall - expecting the screen
> to just come up, and it started loading something. It's not really
> clear, for each service, what that program does to disable it.

If you're using the Windows-Firewall, you don't need this program.
Just start it again, and choose the lowest point - afterwards, your
system is configured like it was before.

"Shutdown Windows' servers" is shutting down services, too, which are
needed by the Windows-Firewall.

If you want to know, what "Shutdown Windows' servers" does exactly, you
could read the source code. You can download it at:

http://www.dingens.org/win32sec-en-src.zip

The program does just the same as Torsten's script in version 2.1, though.
So you can download Torsten's script, too, and just read the commands
Torsten is executing. They're usual Windows commands, you can enter at
the command processor's prompt.

> There
> are side effects. Many services can be disabled with no side effects,
> via adminsitrative tools.. So, what other services are there? there
> can't be many.

Unfortunately, there are some. Especially, stopping Windows to offer
DCE RPC and DCOM over DCE RPC (and SMB name services and so on) at all
requires some registry configuration.

I would be happy, if Microsoft could fix that.

> Also, I didn't notice a restore option in that program at the time I
> used it.

Just start it again, and choose the lowest point again (named "unsecure").
This is the restore functionality. The text of this point changes to
"restore" ;-)

> Say I were to manally disable the messenger service, and UPnP, and
> disable file and print sharing (port 139), and what other services
> are there? lsitening on 0.0.0.0 I guess there's NBTSTAT maybe(135)
> but I don't know how to disable that noe.

The latter is done by configuring the registry, together with configuring
DCOM and RPC.

> There can onyl be a handful of services that cannot be easily disabled
> manually.

Yes.

> No reason for a whole program to do them and not list details
> or even services running that it is disabling.

Yes. Please better use Torsten's script. You can modify and adapt it for
your needs. "Shutdown Windows' servers" is there only, because I wanted
to offer this possibility for people, too, who don't feel comfortable
with black windows and grey text ;-)

For people like you, who are interested in what's goin'on exactly, but
perhaps are no C programmers, Torsten's script is the much better
choice:

http://ntsvcfg.de/ntsvcfg_eng.html

> I think it's better for the user to just be educated on what services
> cannot be turned off manually, and they just run a script that does
> some registry hacks and warns of te side efects.

Yes. I think so. I'm offering "Shutdown Windows's servers" as an
addition to it as "one-click-solution".

Yours,
VB.
--
"Ich bin ein freier Mensch und werde jetzt von meinen Freiheitsrechten
Gebrauch machen - und zwar ausgiebig - natürlich nur in dem Rahmen, den
Otto Schily mir noch zur Verfügung stellt."
Wolfgang Clement am 10.10.05 als Noch-Superminister

Re: Ok to let all ICMP traffic through firewall?

In the Usenet newsgroup comp.security.firewalls, in article
<1128878529.786005.302000@o13g2000cwo.googlegroups.com>,
jameshanley39@yahoo.co.uk wrote:

>> Volker Birk wrote:

>>> It is a good idea to allow at least ICMP messages of the
>>> types 0, 3, 4, 8, 11, 12, see RFC 792.

Disagree. A lot depends on your threat model - what are you doing,
and what are you trying to protect against. Where I work, types 8
in and 0 out are not allowed at the perimeter and neither 0 or 8
are allowed through the internal routers (though all hosts on a
given sub-net can ping and will respond to pings). Only a limited
number of codes (below) of type 3 are allowed. My home LAN is set
up in similar fashion. But what works for me may not be what you need
or desire, and vice-versa.

>Most people that tlak about blocking a specific type of ICMP message
>are very technical and probably don't use windows, i'm sure they have a
>unix based system and their firewall is a standard unix one which has
>advanced packet filtering (iptables?).

Two minor nits - "UNIX" is a registered trademark of The Open Group.
"iptables" is the current user interface to the netfilter firewall that
is part of the Linux kernel. Two other older interfaces (ipfwadm and
IPCHAINS) also exist and are occasionally used, but Linux is (and the
various BSDs are) often described as "UNIX like" or (incorrectly) "UNIX
clones" but are not licensed to use the tradename UNIX to describe the
O/S. Other O/S such as the BSDs and the several registered UNIX
operating systems have firewalls, but don't use 'iptables'.

>ICMP has a code field and a type field. Both have values. VB refered to
>the Type field.

The 'code' is a sub part of the type - and varies between the various
types. Code 1 in type 3 has nothing to do with code 1 in type 11.
You should also note that firewall logs often lists the 'Type' number
in the spot where TCP and UDP would list the 'source' port number (ICMP
does not have ports), and the 'Code' number where the 'destination' port
number would be listed. This is done only because they don't bother
changing the log headings. It's a logging function only, and has no
effect on operation.

>--- ignore these codes, he only referred to type
> Code

Those are six of the 16 defined codes applicable to Type 3 (Destination
Unreachable).

>Here are Types

That's 11 of the 27 defined types. RFC0792 describes ICMP, but a
number of other documents had added more types and codes in the 24
years since RFC0792 was written. See
http://www.iana.org/assignments/icmp-parameters

Old guy

Re: Ok to let all ICMP traffic through firewall?

Moe Trin wrote:
[ICMP]
> Where I work, types 8
> in and 0 out are not allowed at the perimeter and neither 0 or 8
> are allowed through the internal routers (though all hosts on a
> given sub-net can ping and will respond to pings).

What's your problem with ToS and echo?

Yours,
VB.
--
"Ich bin ein freier Mensch und werde jetzt von meinen Freiheitsrechten
Gebrauch machen - und zwar ausgiebig - natürlich nur in dem Rahmen, den
Otto Schily mir noch zur Verfügung stellt."
Wolfgang Clement am 10.10.05 als Noch-Superminister

Re: Ok to let all ICMP traffic through firewall?

Post removed (X-No-Archive: yes)

Re: Ok to let all ICMP traffic through firewall?

On 9 Oct 2005 19:07:29 -0700, jameshanley39@yahoo.co.uk wrote:

>ISP interruptions of service, probably nothing whatsoever to do with
>ICMP.

My ISP promised me to check the isdn-line meanwhile

>and I would be suprised if there is that link you say. That when the
>windows firewall is on you have problems.
>
>you could try turning the windows firewall off, see if you still have
>problems. but that can possibly be a bit of a security hazard.

Life is boring so I take a risk from time to time. I switched my XP
fire wall off and did tests against pcflank and shields up. Both sides
report, that my pc is visible now and all ports are closed, buth not
in stealth mode. No port is reported as open. I should use a fire
wall. - I ran in parallel TCPview, so I knew, what ports had been open
and I checked these ports again against shields up, but they reported
them as 'Closed'.

A report from shields up was:
Solicited TCP Packets: RECEIVED (FAILED) - As detailed in the port
report below, one or more of your system's ports actively responded to
our deliberate attempts to establish a connection. It is generally
possible to increase your system's security by hiding it from the
probes of potentially hostile hackers.

As I said above, all ports were reported as closed, but not stealth.
As I understand it, closed ports shouldn't be a severe risk, didn't
they? How can they make a connection via a closed port? Wondering.

>You
>could try a different personal firewall. or shutdown any windows
>services listening on 0.0.0.0 (netstat -an will list services).

The only process listening to 0.0.0.0 was alg.exe and that is the fire
wall of XP. For the tests described above I switched it off.

>Actually, if you're behind a home router, you can turn off the windows
>firewall and you'll certainly be fine.

I'm afraid, but I'm not behind a router. For different reasons I have
to rely on the pc alone.

>... If you just get an interruption temporarily,
>that is starnge. Maybe you should investigate what you mean by an
>interruption, whether you're completely knocked off the internet,
>whether you have an ip from your 'home router'. e.t.c. what the
>symprtoms of the interruption are.

My pc gets completely disconnected from the internet from time to
time. The only thing I changed was, I started the XP fire wall. So I
assumed the XP fire wall might be the reason. But now I had again a
disconnected pc without the XP fire wall, so there have to be other
reasons.

Klaas

Re: Ok to let all ICMP traffic through firewall?

Klaus Petrat wrote:
> On 9 Oct 2005 19:07:29 -0700, jameshanley39@yahoo.co.uk wrote:
>
> >ISP interruptions of service, probably nothing whatsoever to do with
> >ICMP.
>
> My ISP promised me to check the isdn-line meanwhile
>
> >and I would be suprised if there is that link you say. That when the
> >windows firewall is on you have problems.
> >
> >you could try turning the windows firewall off, see if you still have
> >problems. but that can possibly be a bit of a security hazard.
>
> Life is boring so I take a risk from time to time. I switched my XP
> fire wall off and did tests against pcflank and shields up. Both sides
> report, that my pc is visible now and all ports are closed, buth not
> in stealth mode. No port is reported as open.

then they are closed. the port is 100% secure. No server application
is listening there. Nothing to be exploited



>I should use a fire
> wall.

if all ports are closed. you have no ports so nothing that that needs
protecting.
But you could use a firewall anyway just incase you do decide to start
a service, or you inadvertently start one.

- I ran in parallel TCPview, so I knew, what ports had been open
> and I checked these ports again against shields up, but they reported
> them as 'Closed'.

that is good.

> A report from shields up was:
> Solicited TCP Packets: RECEIVED (FAILED) - As detailed in the port
> report below, one or more of your system's ports actively responded to
> our deliberate attempts to establish a connection. It is generally
> possible to increase your system's security by hiding it from the
> probes of potentially hostile hackers.

Many posts have dealt with this issue.
Gibson is a liar, his philosophy is to spread disinformation, obfuscate
technical knowledge. This way he protects the wider community by
keeping everybody ignorant. He also likes to keep people dependent on
him. Look carefully at his site and you'll see it's written by a
marketter. Steve Gibson is a marketter. He knows his stuff and is
intentionally lying. He has admitted to spreading a disinformation
campaign (his own words). There is an audio file online with him
admitting it
http://grcsucks.com/
He Calls packets 'nanoprobes', just obfuscating everything. Pretends
he's invented new technologies.

45:15 (minutes:seconds)
"I set up a deliberate disinformation campaign from the beginning"
http://www.vpwsys.net/download/grc_low.wma (see 45:15 into that file)



> As I said above, all ports were reported as closed, but not stealth.
> As I understand it, closed ports shouldn't be a severe risk, didn't
> they? How can they make a connection via a closed port? Wondering.

They can't. So it's safe.

To my limited knowledge, Stealth just means that the port doesn't
respond to say that it is closed. Yet it'd do no ahrm if it did.
Stealth doesn't hide the comp at all. IP is still there.
try www.whatismyip.com


> >You
> >could try a different personal firewall. or shutdown any windows
> >services listening on 0.0.0.0 (netstat -an will list services).
>
> The only process listening to 0.0.0.0 was alg.exe and that is the fire
> wall of XP. For the tests described above I switched it off.

If it were listening on 0.0.0.0 then it'd be a problem. But fortunately
you're misreading it. In the remote port column, the 0.0.0.0 just
means that nobody is connected to it. It's not listening on 0.0.0.0
In the local column, 0.0.0.0 would mean anybody can connect.
The windows firewall alg.exe - see the local column is listening on
127.0.0.1, which I don't fully understand, but it sort of means that
only your computer can connect to it. And that connection won't even
pass through your NIC. It's called a loopback address. So that's safe.
As would be an address like 192.168.0.1 'cos that means that the
connection is open to any other comp on your LAN(would of course pass
through NIC). For you who doesn't want any services open to the public,
0.0.0.0 in the local column is a problem / issue.


> >Actually, if you're behind a home router, you can turn off the windows
> >firewall and you'll certainly be fine.
>
> I'm afraid, but I'm not behind a router. For different reasons I have
> to rely on the pc alone.

well, even with no services running. If a website exploits your web
browser installs something, it can make an outgoing connection, and
treansfer data out. And all that time you won't have been running any
services. Safer to not use IE. Fortunately, most of these progs are
jst stupid advertising things. But if you have a real reason to be
worried of being targetted by a professional, then , safest thing to do
is to keep any important data stored ona computer that doesn't have an
internet connection. I don't really knwo much about securing myself
from a serious hacker!


> >... If you just get an interruption temporarily,
> >that is starnge. Maybe you should investigate what you mean by an
> >interruption, whether you're completely knocked off the internet,
> >whether you have an ip from your 'home router'. e.t.c. what the
> >symprtoms of the interruption are.
>
> My pc gets completely disconnected from the internet from time to
> time. The only thing I changed was, I started the XP fire wall. So I
> assumed the XP fire wall might be the reason. But now I had again a
> disconnected pc without the XP fire wall, so there have to be other
> reasons.

faulty DSL modem? faulty ISP?
it's easier to change modem than change isp. So consider exploring that
possibility.

Are you suer you're not behind a router? Either way, doesn't matter.
The router or modem or router/modem, may be faulty.

It's hard to have DSL and not be behind a router. The only way I know
of is to use a PCI DSL Modem card. All the so-called DSL modems I see
are 'home routers' .


Google your ISP . [insert ISP name]+crap. I did that, searched in
usenet and the web and foudn out what ISPs to avoid. OFten when ppl
complain about an ISP they lso post a better one.

Many UK ppl wrote of moving from the hell of demon internet, to the
peace of Zen. some ISPs have a bad reputation of DCing customers from
time to time. If you're getting Dced because of the ISP, then it's
very likely you'll find 100s of others online with the same experience.
Then you'll know.

Re: Ok to let all ICMP traffic through firewall?

In message <1128999734.849135.188760@g47g2000cwa.googlegroups.com>
jameshanley39@yahoo.co.uk wrote:

>then they are closed. the port is 100% secure. No server application
>is listening there. Nothing to be exploited

That isn't entirely true. There is still an application which receives
the packet and evaluates to it determine how to handle the packet.

It's possible, although relatively unlikely, that there is a bug in the
way your TCP stack implements something at the protocol layer which
could result in a buffer overrun or something similar.

--
"The only British idiom I know is that fag means cigarette."
"Well then tell this cigarette to shut up"

Re: Ok to let all ICMP traffic through firewall?

DevilsPGD wrote:
> >then they are closed. the port is 100% secure. No server application
> >is listening there. Nothing to be exploited
> That isn't entirely true.

Oh, yes, it is.

> There is still an application which receives
> the packet and evaluates to it determine how to handle the packet.

No. There is software, though - and without shutting down the interface,
there will remain software which tests this, also with "stealthed"
interfaces.

Yours,
VB.
--
"Ich bin ein freier Mensch und werde jetzt von meinen Freiheitsrechten
Gebrauch machen - und zwar ausgiebig - natürlich nur in dem Rahmen, den
Otto Schily mir noch zur Verfügung stellt."
Wolfgang Clement am 10.10.05 als Noch-Superminister

Re: Ok to let all ICMP traffic through firewall?

Volker Birk wrote:
> DevilsPGD wrote:
> > >then they are closed. the port is 100% secure. No server application
> > >is listening there. Nothing to be exploited
> > That isn't entirely true.
>
> Oh, yes, it is.
>
> > There is still an application which receives
> > the packet and evaluates to it determine how to handle the packet.
>
> No. There is software, though - and without shutting down the interface,
> there will remain software which tests this, also with "stealthed"
> interfaces.

ah, so the packest don't jut arrive in a buffer for reading by
applications.
some software passes them to the app?

is this sowftware's function defined by TCP/IP in any RFC?

i'm guessing perhaps there's another piece of software that reaas the
TCP port and passes it to the itnerface software you refer to.
wouldn't want to shut that one down!

How can you test whether a port is closed, or whether the whole
interface is shut down ?

I'd have thought that if the whole interface was shut down, there'd be
no response, and thus it'd be reported as stealth by an online scanner.
Though no software would be sitting there choosing not to respond.

I will be getting Stevens TCP/IP book when i'm more advanced. Is this
topic dealt with in there?

thanks

Re: Ok to let all ICMP traffic through firewall?

jameshanley39@yahoo.co.uk wrote:
> ah, so the packest don't jut arrive in a buffer for reading by
> applications.
> some software passes them to the app?

Yes. This is done by the IP stack software in the operating system's
kernel.

> is this sowftware's function defined by TCP/IP in any RFC?

No. The RFCs mainly are defining protocols and usually not how to
implement them.

There are two common ways for a TCP/IP implementation in the wild, though,
and most of the operating systems are using one of those two. The first
is BSD sockets, the second is called XTI.

With both it is like I described.

Windows uses BSD sockets BTW, Winsocket is a derivate of it.
Linux uses a re-implementation of BSD sockets and the BSD socket API.
For example, Solaris and HP-UX on the other side use XTI. But both
are offering a BSD socket API today.

http://en.wikipedia.org/wiki/BSD_sockets
http://www.frostbytes.com/~jimf/papers/sockets/sockets.html

http://en.wikipedia.org/wiki/Transport_Layer_Interface
http://www.opengroup.org/bookstore/catalog/x98gv.htm

> How can you test whether a port is closed, or whether the whole
> interface is shut down ?

According to the protocol, sending SYN to a TCP port which is closed
requires sending either TCP RST back, or sending ICMP port unreachable.

Sending anything to an interface, which is down, does not provoke an
answer from this interface. Instead, one gets an ICMP host not found
or an ICMP network not found from a router before the host.

> I'd have thought that if the whole interface was shut down, there'd be
> no response, and thus it'd be reported as stealth by an online scanner.

No. You will get a "this host does not exist", if the scanner works.

> I will be getting Stevens TCP/IP book when i'm more advanced. Is this
> topic dealt with in there?

Yes, of course it is, if you mean "UNIX Network Programming".

Yours,
VB.
--
"Ich bin ein freier Mensch und werde jetzt von meinen Freiheitsrechten
Gebrauch machen - und zwar ausgiebig - natürlich nur in dem Rahmen, den
Otto Schily mir noch zur Verfügung stellt."
Wolfgang Clement am 10.10.05 als Noch-Superminister

Re: Ok to let all ICMP traffic through firewall?

In the Usenet newsgroup comp.security.firewalls, in article
<434ad557@news.uni-ulm.de>, Volker Birk wrote:

>Moe Trin wrote:

>> Where I work, types 8 in and 0 out are not allowed at the perimeter
>> and neither 0 or 8 are allowed through the internal routers (though
>> all hosts on a given sub-net can ping and will respond to pings).

>What's your problem with ToS and echo?

I don't set corporate policy - but ping inbound is blocked at the
perimeter to prevent system mapping - seems we'd prefer people not to
know our layout because they have no demonstatable need for that.
Blocking at the internal routers is for the same reason. I don't
know about your setup, but our users are not responsible for diagnosing
network problems, and very few of them have administrative (root)
privileges, so even if they discovered the cause of a problem, they
can't do a thing about it - other than pass the word to the hell desk.

Are they having problems? Fine, can they ping the gateway at $BROADCAST-1
or -2? If they can, can they resolve the hostname of something local?
The DNS servers are not on each subnet - so resolving says they can get
through a router. That being the case, the problem isn't their system,
and our NOC people will handle it. As the network is monitored, we may
well know about it already anyway. Having at least five neurons, our
NOC people know how to use other tools besides ping to evaluate network
connectivity. Remember - our users don't have root, so they can't fsck
up their own systems, never mind others. They can't install stuff, so
that prevents a lot of problems too.

ToS? I can't readily find the document, but we did a study of ICMP types
and decided that only types 3 and 11 were needed (we don't run IPv6 yet,
and the others are either obsolete, not applicable, or not used). If I
recall correctly, we _used_ to allow type 4, but stopped using it after
a DOS attack - TCP window size is usually adequate instead. Of the 16
Type 3 codes, only the first five were needed/used. The rules from/to
the DMZ are different - and that allows someone from the NOC to work/test
from there to diagnose problems to the outside, but that's it. We don't
serve ANYTHING to the outside from anywhere other than the DMZ, so that's
not a problem either. ALL inbound 113/tcp is redirected to an "ID server"
that answers with an encrypted string, so that's neither a problem for
our users or a security risk to us.

My home setup is similar - except that I have root on all systems, so
I can diagnose and fix problems as needed. Thus far, outbound pings,
type 3 codes 0-4 and type 11 has worked without problems. What more do
I need? It ain't broke - I don't have to fix it.

Old guy

Re: Ok to let all ICMP traffic through firewall?

In the Usenet newsgroup comp.security.firewalls, in article
<434bb87c@news.uni-ulm.de>, Volker Birk wrote:

>jameshanley39@yahoo.co.uk wrote:

>> is this sowftware's function defined by TCP/IP in any RFC?
>
>No. The RFCs mainly are defining protocols and usually not how to
>implement them.

1122 Requirements for Internet Hosts - Communication Layers. R.
Braden, Ed.. October 1989. (Format: TXT=295992 bytes) (Updated by
RFC1349) (Also STD0003) (Status: STANDARD)

1123 Requirements for Internet Hosts - Application and Support. R.
Braden, Ed.. October 1989. (Format: TXT=245503 bytes) (Updates
RFC0822) (Updated by RFC1349, RFC2181) (Also STD0003) (Status:
STANDARD)

>Sending anything to an interface, which is down, does not provoke an
>answer from this interface. Instead, one gets an ICMP host not found
>or an ICMP network not found from a router before the host.

Assumes the ARP cache on the router has timed out, or if the destination
is more than a hop beyond, the routers have talked about it via RIP,
BGP, OSPF, or something similar.

>> I will be getting Stevens TCP/IP book when i'm more advanced. Is this
>> topic dealt with in there?
>
>Yes, of course it is, if you mean "UNIX Network Programming".

Possibly 'TCP/IP Illustrated Volume 1 The Protocols', Addison Wesley
0-201-63346-9 - 576 pgs, US$LOTS, 1994 and 1996 at least. Volume 2 is
less common - 0-201-63354-X. It's used as a college textbook primarily,
but a lot of network people have a copy, and use it. It's also frequently
suggested as a good read - to the extent that I've got the title,
publisher, ISBN, and page count memorized. He was actually a very good
author.

Old guy

Re: Ok to let all ICMP traffic through firewall?

Moe Trin wrote:
> >No. The RFCs mainly are defining protocols and usually not how to
^^^^^^ ^^^^^^^
> >implement them.
[RFC 1122, 1123]

I've underlined the most important words ;-)

[Richard Stevens]
> He was actually a very good
> author.

Yes. An excellent author.

Yours,
VB.
--
"Ich bin ein freier Mensch und werde jetzt von meinen Freiheitsrechten
Gebrauch machen - und zwar ausgiebig - natürlich nur in dem Rahmen, den
Otto Schily mir noch zur Verfügung stellt."
Wolfgang Clement am 10.10.05 als Noch-Superminister

Re: Ok to let all ICMP traffic through firewall?

Moe Trin wrote:
> >What's your problem with ToS and echo?
> I don't set corporate policy

I understand ;-)

> My home setup is similar - except that I have root on all systems, so
> I can diagnose and fix problems as needed.

Yes.

> Thus far, outbound pings,
> type 3 codes 0-4 and type 11 has worked without problems. What more do
> I need? It ain't broke - I don't have to fix it.

ACK.

Yours,
VB.
--
"Ich bin ein freier Mensch und werde jetzt von meinen Freiheitsrechten
Gebrauch machen - und zwar ausgiebig - natürlich nur in dem Rahmen, den
Otto Schily mir noch zur Verfügung stellt."
Wolfgang Clement am 10.10.05 als Noch-Superminister

Re: Ok to let all ICMP traffic through firewall?

On 10 Oct 2005 20:02:14 -0700, jameshanley39@yahoo.co.uk wrote:

>...

>If it were listening on 0.0.0.0 then it'd be a problem. But fortunately
>you're misreading it. In the remote port column, the 0.0.0.0 just
>means that nobody is connected to it. It's not listening on 0.0.0.0
>In the local column, 0.0.0.0 would mean anybody can connect.
>The windows firewall alg.exe - see the local column is listening on
>127.0.0.1, which I don't fully understand, but it sort of means that
>only your computer can connect to it. And that connection won't even
>pass through your NIC. It's called a loopback address. So that's safe.
>As would be an address like 192.168.0.1 'cos that means that the
>connection is open to any other comp on your LAN(would of course pass
>through NIC). For you who doesn't want any services open to the public,
>0.0.0.0 in the local column is a problem / issue.

Thank you for explaining these details.

>... Safer to not use IE.

The only adress I use IE for is the MS update page for Windows. For
all other adresses I use a different browser.

>Google your ISP . [insert ISP name]+crap. I did that, searched in
>usenet and the web and foudn out what ISPs to avoid. OFten when ppl
>complain about an ISP they lso post a better one.

Thank you for advice. I'll do that the next days.

--
Klaas

Re: Ok to let all ICMP traffic through firewall?

On Tue, 11 Oct 2005 15:01:55 -0500, ibuprofin@painkiller.example.tld (Moe
Trin) wrote:


>publisher, ISBN, and page count memorized. He was actually a very good
>author.
>

APUE was the book which got me up and running cutting code on *nix back in
the day.

Shame the good always die young.



greg
--
"Access to a waiting list is not access to health care"

Re: Ok to let all ICMP traffic through firewall?

Franklin wrote:
> My question is Should a firewall let all ICMP traffic through because
> there is no real risk if they do?
>
> +++++
>
> Here is the thinking behind my question: Robin Walker's cable modem
> webpages at
>
> look to me as if they are technically sound. But they are a few
> years old. I would like to know what people think about the advice
> he gives about ICMP traffic and if it is still true these days.
>
> He suggests that firewalls should let all ICMP traffic through and
> that there is no real risk if they do that. At
> http://snipurl.com/hvox he writes the following section. I have cut
> it down a bit.
>
>
> ------------------- START QUOTE -----------------
>
> STEALTH-MODE FIREWALLS CONSIDERED HARMFUL
>
> Some firewalls have a hiding mechanism they call stealth. ... In
> stealth mode, the firewall causes the PC just to ignore incoming
> connection attempts, rather than rejecting them, as would be normal
> for incoming connection attempts to closed ports.
>
> ... causes some difficulties. For a start, Internet standard RFC 1122
> states categorically about ICMP Echoes (ping):
>
> "3.2.2.6 Echo Request/Reply: RFC-792. Every
> host MUST implement an ICMP Echo server function
> that receives Echo Requests and sends
> corresponding Echo Replies."
>
> So you are strongly advised not to apply stealth techniques to the
> ICMP protocol.
>
> A commonly heard objection to allowing ICMP Echo Replies is that it
> gives away information to hackers that there is a live connection on
> this IP address. Such objections are not well-founded, and can be
> safely ignored.
>
> There is no evidence in practice that any hacker has been aided by
> the presence of an ICMP Echo Reply.
>
> Hackers do not typically write code that tests an address with ICMP
> Echo before launching a hostile probe: they always send the hostile
> probe directly: either it works or it doesn't, and information from
> ICMP adds nothing to the analysis.
>
> ------------------- END QUOTE -----------------
>
> So Should a firewall let all ICMP traffic through? Is it ok to do
> that?


Maybe not all ICMP, but I'm inclined to allow ping unless there is a
good reason not to.

When ping and traceroute are allowed it saves a great deal of time and
effort. This eventually saves $$. Fewer people are involved in
troubleshooting, fewer phone calls, etc. etc.

For example, "I can't FTP to x.x.x.x" is now a ticket which is likely to
involve the "firewall guy" since there is no ping. This could be a very
simple matter if only you could ping the server.

When the network get very complicated some security is lost. Mistakes
are made because not everyone understands all aspects of the network.

Ping of death is quite old now and not likely to resurface. I would
make a judgment call on this issue. If you need very high security then
I'd turn it off, otherwise I'd focus on more pressing issues like
silencing my telephone and shuffling my email. :)

Scott R. Haven
Sr. Systems Engineer
Paisley Systems Inc.
managed services, consulting, and support
www.paisleysystems.com

Re: Ok to let all ICMP traffic through firewall?

Franklin wrote:
> My question is Should a firewall let all ICMP traffic through because
> there is no real risk if they do?
>
> +++++
>
> Here is the thinking behind my question: Robin Walker's cable modem
> webpages at
>
> look to me as if they are technically sound. But they are a few
> years old. I would like to know what people think about the advice
> he gives about ICMP traffic and if it is still true these days.
>
> He suggests that firewalls should let all ICMP traffic through and
> that there is no real risk if they do that. At
> http://snipurl.com/hvox he writes the following section. I have cut
> it down a bit.
>
>
> ------------------- START QUOTE -----------------
>
> STEALTH-MODE FIREWALLS CONSIDERED HARMFUL
>
> Some firewalls have a hiding mechanism they call stealth. ... In
> stealth mode, the firewall causes the PC just to ignore incoming
> connection attempts, rather than rejecting them, as would be normal
> for incoming connection attempts to closed ports.
>
> ... causes some difficulties. For a start, Internet standard RFC 1122
> states categorically about ICMP Echoes (ping):
>
> "3.2.2.6 Echo Request/Reply: RFC-792. Every
> host MUST implement an ICMP Echo server function
> that receives Echo Requests and sends
> corresponding Echo Replies."
>
> So you are strongly advised not to apply stealth techniques to the
> ICMP protocol.
>
> A commonly heard objection to allowing ICMP Echo Replies is that it
> gives away information to hackers that there is a live connection on
> this IP address. Such objections are not well-founded, and can be
> safely ignored.
>
> There is no evidence in practice that any hacker has been aided by
> the presence of an ICMP Echo Reply.
>
> Hackers do not typically write code that tests an address with ICMP
> Echo before launching a hostile probe: they always send the hostile
> probe directly: either it works or it doesn't, and information from
> ICMP adds nothing to the analysis.
>
> ------------------- END QUOTE -----------------
>
> So Should a firewall let all ICMP traffic through? Is it ok to do
> that?


Maybe not all ICMP, but I'm inclined to allow ping unless there is a
good reason not to.

When ping and traceroute are allowed it saves a great deal of time and
effort. This eventually saves $$. Fewer people are involved in
troubleshooting, fewer phone calls, etc. etc.

For example, "I can't FTP to x.x.x.x" is now a ticket which is likely to
involve the "firewall guy" since there is no ping. This could be a very
simple matter if only you could ping the server.

When the network get very complicated some security is lost. Mistakes
are made because not everyone understands all aspects of the network.

Ping of death is quite old now and not likely to resurface. I would
make a judgment call on this issue. If you need very high security then
I'd turn it off, otherwise I'd focus on more pressing issues like
silencing my telephone and shuffling my email. :)

Scott R. Haven
Sr. Systems Engineer
Paisley Systems Inc.
managed services, consulting, and support
www.paisleysystems.com

Re: Ok to let all ICMP traffic through firewall?

Post removed (X-No-Archive: yes)

Re: Ok to let all ICMP traffic through firewall?

Post removed (X-No-Archive: yes)