ICMP/ Firewall issue

Igmar Palsenberg maillist at chello.nl
Fri Oct 20 20:30:20 UTC 2000



> > No, but TCP/IP does use ICMP do do diagnostics kind of things. Completely
> > blocking ICMP makes TCP/IP blind.
> 
>   Blindness is a function of what you are trying to accomplish.
> If you are trying to get DNS queries to a server and receive
> the responses coming back, ICMP has nothing to do it it
> except perhaps to indicate that the server isn't there or
> that there are routing problems.  It is irrelevant to
> this situation involving a firewall.  Blocking ICMP has
> nothing to do with this problem.

No, the problem is that 53 UDP/TCP aren't forwarded. But if an app sends
some ICMP to see if the host is up, and it doesn't receive the response it
wants it has every right to stop communication.

You don't get blindness by bloking ICMP, you get blindness by making sure
that all request from evil hosts get dropped on the floor. On all ports I
mean.

An atacker isn't interested if a host is up or not, he's interested in
what's running on that machines. And you make hist life miserable by
pretending that all ports are open. In combination with the timeout, it
takes ages to scan such a machine. 


> 					Scott



	Igmar




More information about the bind-users mailing list