Re: Questions about ICMP

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Wednesday 05 December 2007, Daniel B. Thurman wrote:
> Should ICMP packets be allowed both over the
> Internet or should it be allowed to pass only in
> the local networks?

If you blanket block all ICMP, you break many parts of the TCP/IP protocol.  
You lose:

1.) The ability for you to ping anything (ICMP Echo Reply)
2.) Path MTU discovery (ICMP type 3 (Destination unreachable) code 4 )
3.) The ability to know a destination is not reachable (is your yum taking too 
long?  Perhaps you're blocking ICMP type 3!)

Read the list of ICMP types and see what you might break.  The list is at 
http://www.iana.org/assignments/icmp-parameters

ICMP is called the 'internet control message protocol' for a reason.

Now, blocking ICMP types 4 and 5 might be useful, and blocking several 
experimental types might be useful, but you certainly don't want to block 
types that are necessary for proper network functionality.  Otherwise your 
connectivity will be broken (blocking type 11, for instance, can have 
interesting ramifications).  Blocking type 4 can cause problems with QoS in 
some implementations, too.

Again, ICMP exists for a very valid reason.  Blocking ICMP does not make you 
more secure, either.  It will make it slightly more difficult for an attacker 
to find you, but only slightly.

See http://www.faqs.org/faqs/computer-security/most-common-qs/section-18.html 
for more.  See the parent FAQ of that question, too.

Also, as a point of information, there is no such thing as 'The Internet' 
anyway.  There is a conglomeration of interconnected networks, each with 
their own 'junk,' that agree to connect and pass traffic.  It is a VERY loose 
conglomeration; just follow some of the depeering discussions on NANOG for a 
while.
-- 
Lamar Owen
Chief Information Officer
Pisgah Astronomical Research Institute
1 PARI Drive
Rosman, NC  28772
(828)862-5554
www.pari.edu


[Index of Archives]     [Current Fedora Users]     [Fedora Desktop]     [Fedora SELinux]     [Yosemite News]     [Yosemite Photos]     [KDE Users]     [Fedora Tools]     [Fedora Docs]

  Powered by Linux