A Broadband and ADSL forum. BroadbanterBanter

Welcome to BroadbanterBanter.

You are currently viewing as a guest which gives you limited access to view most discussions and other FREE features. By joining our free community you will have access to post topics, communicate privately with other members (PM), respond to polls, upload your own photos and access many other special features. Registration is fast, simple and absolutely free so please, join our community today.

Go Back   Home » BroadbanterBanter forum » Newsgroup Discussions » uk.telecom.broadband (UK broadband)
Site Map Home Register Authors List Search Today's Posts Mark Forums Read Web Partners

uk.telecom.broadband (UK broadband) (uk.telecom.broadband) Discussion of broadband services, technology and equipment as provided in the UK. Discussions of specific services based on ADSL, cable modems or other broadband technology are also on-topic. Advertising is not allowed.

Ok to let all ICMP traffic through firewall?



 
 
Thread Tools Display Modes
  #1  
Old September 22nd 05, 11:14 PM posted to comp.security.misc,alt.computer.security,comp.security.firewalls,uk.telecom.broadband
Franklin
external usenet poster
 
Posts: 1
Default Ok to let all ICMP traffic through firewall?

My question is Should a firewall let all ICMP traffic through because
there is no real risk if they do?

+++++

Here is the thinking behind my question: Robin Walker's cable modem
webpages at
http://homepage.ntlworld.com/robin.d.h.walker/cmtips/index.html
look to me as if they are technically sound. But they are a few
years old. I would like to know what people think about the advice
he gives about ICMP traffic and if it is still true these days.

He suggests that firewalls should let all ICMP traffic through and
that there is no real risk if they do that. At
http://snipurl.com/hvox he writes the following section. I have cut
it down a bit.


------------------- START QUOTE -----------------

STEALTH-MODE FIREWALLS CONSIDERED HARMFUL

Some firewalls have a hiding mechanism they call stealth. ... In
stealth mode, the firewall causes the PC just to ignore incoming
connection attempts, rather than rejecting them, as would be normal
for incoming connection attempts to closed ports.

.... causes some difficulties. For a start, Internet standard RFC 1122
states categorically about ICMP Echoes (ping):

"3.2.2.6 Echo Request/Reply: RFC-792. Every
host MUST implement an ICMP Echo server function
that receives Echo Requests and sends
corresponding Echo Replies."

So you are strongly advised not to apply stealth techniques to the
ICMP protocol.

A commonly heard objection to allowing ICMP Echo Replies is that it
gives away information to hackers that there is a live connection on
this IP address. Such objections are not well-founded, and can be
safely ignored.

There is no evidence in practice that any hacker has been aided by
the presence of an ICMP Echo Reply.

Hackers do not typically write code that tests an address with ICMP
Echo before launching a hostile probe: they always send the hostile
probe directly: either it works or it doesn't, and information from
ICMP adds nothing to the analysis.

------------------- END QUOTE -----------------

So Should a firewall let all ICMP traffic through? Is it ok to do
that?
  #3  
Old September 22nd 05, 11:36 PM posted to comp.security.misc,alt.computer.security,comp.security.firewalls,uk.telecom.broadband
Peter
external usenet poster
 
Posts: 57
Default Ok to let all ICMP traffic through firewall?

Franklin wrote:
My question is Should a firewall let all ICMP traffic through
because there is no real risk if they do?


No, because some ICMP messages aren't useful. However blocking all
ICMP is throwing the baby out with the bathwater and will cause more
bother than not blocking anything.

I would suggest allowing ICMP Echo and Echo Reply (so ping works),
Destination Unreachable (which includes "fragmentation required",
essential for PMTUD to work) and Time Exceeded (so traceroute works.)
Everything else looks to be fair game to drop.

While I'm suggesting firewall rules, can people also not silently drop
SYNs to port 113 please? All sorts of servers try RFC1413 lookups and
stall while waiting for a response. The firewall user is usually the
first to complain that it's taking ages to connect to a certain remote
server.

--
PGP key ID E85DC776 - finger for full key
/:.*posting.google.com.*/HX-Trace:+j
  #4  
Old September 22nd 05, 11:49 PM posted to alt.computer.security,comp.security.firewalls,uk.telecom.broadband,comp.security.misc
Walter Roberson
external usenet poster
 
Posts: 15
Default Ok to let all ICMP traffic through firewall?

In article ,
Bob Eager wrote:
:In practice, you need to let a few ICMP messages through, then. For
:example, source quench and destination unreachable.

In practice, crackers will send you unsolicited source quenches,
either as a side effect of them DoS'ing the host with forged packets,
or else with the hope of DoS'ing you by interfering with your flow
of traffic to other locations.

In practice, you don't need to listen to source quench. If you
are sending data too quickly for a router, the router will drop
some of the traffic. If the traffic was TCP then the normal TCP
recovery mechanisms will kick in and will act to slow down your
rate of transmission. If the traffic was UDP or anything other
"unreliable" protocol, then by definition the transmissions are
expected to be unreliable so dropping the traffic should not be
important. [If it -was- important, then you shouldn't be using an
unreliable transmission protocol.]
--
Goedel's Mail Filter Incompleteness Theorem:
In any sufficiently expressive language, with any fixed set of
email filtering algorithms, there exists at least one spam message
which the algorithms are unable to filter out.
  #5  
Old September 22nd 05, 11:57 PM posted to comp.security.misc,alt.computer.security,comp.security.firewalls,uk.telecom.broadband
Wolfgang Kueter
external usenet poster
 
Posts: 1
Default Ok to let all ICMP traffic through firewall?

Franklin wrote:

My question is Should a firewall let all ICMP traffic through because
there is no real risk if they do?
[...]
------------------- START QUOTE -----------------

STEALTH-MODE FIREWALLS CONSIDERED HARMFUL
[...]
So Should a firewall let all ICMP traffic through?


No.

Is it ok to do that?


No. While the example you quoted from the web page is still correct and
there is nothing wrong with echo request and echo reply and the various
destination unreachable messages the are other icmp messages that should be
filted.

http://seclists.org/lists/bugtraq/2005/May/0122.html

Wolfgang
  #6  
Old September 23rd 05, 12:06 AM posted to comp.security.misc,alt.computer.security,comp.security.firewalls,uk.telecom.broadband
Walter Roberson
external usenet poster
 
Posts: 15
Default Ok to let all ICMP traffic through firewall?

In article ,
Peter wrote:
:However blocking all
:ICMP is throwing the baby out with the bathwater and will cause more
:bother than not blocking anything.

"more bother" depends on whether you are being deliberately attacked
or not.


:I would suggest allowing ICMP Echo and Echo Reply (so ping works),

Typically, outsiders have no business mapping out exactly which
of your systems exist or are up right now, so dropping most incoming icmp
echo is a common security precaution. Whether to allow icmp echo
to public-facing servers varies with circumstance.

--
If you like, you can repeat the search with the omitted results included.
  #7  
Old September 23rd 05, 12:48 AM posted to comp.security.misc,alt.computer.security,comp.security.firewalls,uk.telecom.broadband
Hairy One Kenobi
external usenet poster
 
Posts: 9
Default Ok to let all ICMP traffic through firewall?

"Leythos" wrote in message
...
In article ,
says...
Franklin wrote:
My question is Should a firewall let all ICMP traffic through
because there is no real risk if they do?


snip

You don't
need to allow PING, in fact why the heck would you want to allow PING,
it's not like it's a valid test that your network is alive - we've got
tons of commercial networks that block PING and none of the users even
notice.


Undoubtedly the case. Although one could quote lots of instances where it's
been damned useful.

Well, *I* certainly can - usually when the web server has had a bit of a
funny turn, and one needs to tell if it's the server behind the firewall
(fat chance of fixing something from an adjacent continent), or whether it's
the ISP playing silly buggers with the connection (marginally more hope of
getting something sorted).

As goes firewalls - I'm sure that most have already seen it, but:
http://www.dilbert.com/comics/dilber...3960050912.gif

--

Hairy One Kenobi

Disclaimer: the opinions expressed in this opinion do not necessarily
reflect the opinions of the highly-opinionated person expressing the opinion
in the first place. So there!


  #8  
Old September 23rd 05, 01:29 AM posted to comp.security.firewalls,uk.telecom.broadband,comp.security.misc,alt.computer.security
Bob Eager
external usenet poster
 
Posts: 2,472
Default Ok to let all ICMP traffic through firewall?

On Thu, 22 Sep 2005 23:13:55 UTC, Leythos wrote:

In practice, you need to let a few ICMP messages through, then. For
example, source quench and destination unreachable.


Wrong, you don't NEED to allow anything. You may FEEL that you do, but
we've got almost 100 networks that don't allow ICMP or anything else
inbound and they work just fine, and we'll not change them.


You're wrong. But that's fine. You just carry on.

--
[ 7'ism - a condition by which the sufferer experiences an inability
to give concise answers, express reasoned argument or opinion.
Usually accompanied by silly noises and gestures - incurable, early
euthanasia recommended. ]
  #9  
Old September 23rd 05, 02:16 AM posted to comp.security.misc,alt.computer.security,comp.security.firewalls,uk.telecom.broadband
Imhotep
external usenet poster
 
Posts: 3
Default Ok to let all ICMP traffic through firewall?

Franklin wrote:

My question is Should a firewall let all ICMP traffic through because
there is no real risk if they do?

+++++

Here is the thinking behind my question: Robin Walker's cable modem
webpages at
http://homepage.ntlworld.com/robin.d.h.walker/cmtips/index.html
look to me as if they are technically sound. But they are a few
years old. I would like to know what people think about the advice
he gives about ICMP traffic and if it is still true these days.

He suggests that firewalls should let all ICMP traffic through and
that there is no real risk if they do that. At
http://snipurl.com/hvox he writes the following section. I have cut
it down a bit.


------------------- START QUOTE -----------------

STEALTH-MODE FIREWALLS CONSIDERED HARMFUL

Some firewalls have a hiding mechanism they call stealth. ... In
stealth mode, the firewall causes the PC just to ignore incoming
connection attempts, rather than rejecting them, as would be normal
for incoming connection attempts to closed ports.

... causes some difficulties. For a start, Internet standard RFC 1122
states categorically about ICMP Echoes (ping):

"3.2.2.6 Echo Request/Reply: RFC-792. Every
host MUST implement an ICMP Echo server function
that receives Echo Requests and sends
corresponding Echo Replies."

So you are strongly advised not to apply stealth techniques to the
ICMP protocol.

A commonly heard objection to allowing ICMP Echo Replies is that it
gives away information to hackers that there is a live connection on
this IP address. Such objections are not well-founded, and can be
safely ignored.

There is no evidence in practice that any hacker has been aided by
the presence of an ICMP Echo Reply.

Hackers do not typically write code that tests an address with ICMP
Echo before launching a hostile probe: they always send the hostile
probe directly: either it works or it doesn't, and information from
ICMP adds nothing to the analysis.

------------------- END QUOTE -----------------

So Should a firewall let all ICMP traffic through? Is it ok to do
that?


Some ICMPs are needed for proper TCP/UDP/IP functionality. I typically allow
icmp source quench and destination not reachables through and block
everything else (incoming)....

Imhotep
  #10  
Old September 23rd 05, 02:20 AM posted to comp.security.misc,alt.computer.security,comp.security.firewalls,uk.telecom.broadband
[email protected]
external usenet poster
 
Posts: 13
Default Ok to let all ICMP traffic through firewall?


Franklin wrote:
My question is Should a firewall let all ICMP traffic through because
there is no real risk if they do?

+++++

Here is the thinking behind my question: Robin Walker's cable modem
webpages at
http://homepage.ntlworld.com/robin.d.h.walker/cmtips/index.html
look to me as if they are technically sound. But they are a few
years old. I would like to know what people think about the advice
he gives about ICMP traffic and if it is still true these days.


snip

STEALTH-MODE FIREWALLS CONSIDERED HARMFUL

Some firewalls have a hiding mechanism they call stealth. ... In


seems there's a debate. But I can't see Robin Walker's arguments being
addressed by those that say block ICMP.

it is my understanding that stealthing ports has absolutely nothing to
do with ICMP. So they are different issues.

A computer has a port stealthed if the port doesn't respond to say
whether it's open or closed. Online scanners that say 'stealth' are
really saying "could not determine" since perhaps the port is open but
the packet got lost! So some online port scanners can be be
misleading.
These is all TCP segments we're dealing with. They are a load of fields
deep with within the Frame's contents.

A computer that blocks ICMP is a different kettle of fish. These are
frames carrying ICMP packets and have no TCP segments anywhere in them
or deep in them at all. Blocking ICMP packets breaks the ICMP
protocol. Whereas Stealthing ports breaks the TCP protocol. I think
both go against the RFCs which require correct implementation of ICMP
and TCP.

A computer of course may stealth ports and block ICMP. But they're not
related. The only similarity is that both are bad practice since they
go against RFCs, and it does not make you safer from attack. (Does it
really matter if somebody can ping you or not?!!!) IT's that argument
again. That if an attacker is put off by the fact that he can't ping
you, then he isn't much to worry about, and he will can easily be put
off by other proper stronger security measures. Like, not having open
ports unless necessary, and if they must be open, then use a firewall
to restrict access to the correct individuals, and apply patches to the
daemons(services/servers) to avoid exploits.

In principle, you don't really want to go around breaking protocols and
going against RFCs, and you dont' gain much from doing it. If you just
say "bset not to allow somethign in if you don't know what it is" it
reminds me of a middle aged woman in a school using a computer who
doesn't want to move an icon, and whose main phrase is "put it back to
how it was before". If you nkow what an icon does then you would know
there's no harm in moving it a fraction to the left or to the right.

Similarly, the people that wrote the RFCs are clever people, and
there's a huge number of technical people in the know, and none of them
have indicated any danger from allowing ICMP packets (or if they have,
then nobody has given their argument in this thread!). The protocol has
been around for donkeys' years, and nobody has sounded off any alarms
about it. So there's no need to start breaking protocols and going
against RFCs. It all looks like a lot of FUD to me.


I only learnt about this recently so I may be wrong, fortunately this
is a public forum, where people correct each others' mistakes!

 




Currently Active Users Viewing This Thread: 1 (0 members and 1 guests)
 
Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

vB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
Completely replace software firewall with hardware firewall? Sheila aka Pippie uk.telecom.broadband (UK broadband) 0 April 4th 05 02:52 PM
Completely replace software firewall with hardware firewall? Keith uk.telecom.broadband (UK broadband) 3 March 25th 05 11:23 AM
Completely replace software firewall with hardware firewall? donnie uk.telecom.broadband (UK broadband) 0 March 23rd 05 01:09 PM
Completely replace software firewall with hardware firewall? CSimmons29 uk.telecom.broadband (UK broadband) 1 March 23rd 05 01:26 AM
Firewall (smoothwall) reports 'Potentially Bad Traffic' from 127.0.0.1:80... robert w hall uk.telecom.broadband (UK broadband) 2 September 12th 03 12:29 PM


All times are GMT +1. The time now is 12:39 AM.


Powered by vBulletin® Version 3.6.4
Copyright ©2000 - 2020, Jelsoft Enterprises Ltd.Content Relevant URLs by vBSEO 2.4.0
Copyright 2004-2020 BroadbanterBanter.
The comments are property of their posters.