[geeks] Firewall recommendation?
Mike Meredith
very at zonky.org
Tue Dec 6 16:36:34 CST 2005
On Tue, 6 Dec 2005 17:12:43 -0500 (EST), der Mouse wrote:
> Heck, I'm not sure *I* understand the question. Perhaps this is
> because I've yet to see an application that uses ICMP for anything,
> arguably aside from ping/traceroute (which to me are diagnostic tools
Well taking ping as an example, for every ICMP echo packet that goes out
you would expect 0-1 ICMP echo-replies to come back. No ICMP
echo-replies should be allowed in without a matching ICMP echo going
out. Unsolicited ICMP echo-replies may not seem like a problem, but
there have been Unix backdoors using such as a covert control channel
(loki?). Besides to the paranoid it's enough to imagine that something
is a possible danger rather than wait until real world examples come
knocking at the door.
I don't think anyone does generalised inspection of ICMP ... it's not an
easy thing to do. Although various types of ICMP messages are sent in
response to traffic sent from a site, it doesn't always come back from
where you expect it to.
Of course you could take the extreme step of blocking all ICMP but I
prefer something a little more elegant (and something that doesn't break
IP).
And after you've spent too much time peering at packets, even the barest
diagnostic tool looks like an application.
More information about the geeks
mailing list