[unisog] Necessary ICMP traffic and the SANS/FBI top 20 Vulnerabilities

bukys at cs.rochester.edu bukys at cs.rochester.edu
Mon Jun 16 19:03:35 GMT 2003

It is very desirable to allow ICMP packets supporting Path MTU Discovery,
as recommended by RFC2979: Behavior of and Requirements for Internet Firewalls

    3.1.1.  Path MTU Discovery and ICMP

       ICMP messages are commonly blocked at firewalls because of a
       perception that they are a source of security vulnerabilities.  This
       often creates "black holes" for Path MTU Discovery [3], causing
       legitimate application traffic to be delayed or completely blocked
       when talking to systems connected via links with small MTUs.

       By the transparency rule, a packet-filtering router acting as a
       firewall which permits outgoing IP packets with the Don't Fragment
       (DF) bit set MUST NOT block incoming ICMP Destination Unreachable /
       Fragmentation Needed errors sent in response to the outbound packets
       from reaching hosts inside the firewall, as this would break the
       standards-compliant usage of Path MTU discovery by hosts generating
       legitimate traffic.

       On the other hand, it's proper (albeit unfriendly) to block ICMP Echo
       and Echo Reply messages, since these form a different use of the
       network, or to block ICMP Redirect messages entirely, or to block
       ICMP DU/FN messages which were not sent in response to legitimate
       outbound traffic.http://www.faqs.org/rfcs/rfc2979.html

which means letting the following ICMP types/subtypes through:
!	icmp 3 0  ! net-unreachable
!	icmp 3 1  ! host-unreachable
!	icmp 3 3  ! port-unreachable
!	icmp 3 4  ! packet-too-big

to which I might add:
!	icmp 3 13 ! administratively-prohibited
!	icmp 4	  ! source-quench
!	icmp 11 0 ! ttl-exceeded

Liudvikas Bukys
bukys at cs.rochester.edu

More information about the unisog mailing list