Re: Problem of blocking ICMP packets

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



> Any router configured to block ICMP packets is, quite simply,
> in violation of RFC792 (STD5), which clearly states "ICMP is actually
> an integral part of IP, and must be implemented by every IP module."
> For a router, "implemented" means forwarded to the destinations next
> hop.
>
> So the fact is, by blocking ICMP, such ISPs have broken IP connectivity,
> and can no longer claim to be providing Internet (IP) service.

<yawn> This debate has been going on since before I became a firewall
developer back in 1995...

Unfortunately, customers are more interested in a "usable" internet than a
"correct" one. As long as the bad guys keep abusing ICMP, we security people
will keep blocking it. The trick, therefore, is to convince the "block
everything" crowd to be selective about ICMP the same way they are selective
about (eg) TCP port numbers.

It's pretty easy these days to write good firewall rules that allow, for
example, Path MTU discovery to work.The "RELATED" state in Linux's iptables
rules is a good start...

-- 
Harald Koch chk@xxxxxxxxx


_______________________________________________

Ietf@xxxxxxxx
https://www1.ietf.org/mailman/listinfo/ietf

[Index of Archives]     [IETF Annoucements]     [IETF]     [IP Storage]     [Yosemite News]     [Linux SCTP]     [Linux Newbies]     [Fedora Users]