Do you have a question? Post it now! No Registration Necessary. Now with pictures!
September 22, 2005, 10:14 pm
rate this thread
My question is Should a firewall let all ICMP traffic through because
there is no real risk if they do?
Here is the thinking behind my question: Robin Walker's cable modem
look to me as if they are technically sound. But they are a few
years old. I would like to know what people think about the advice
he gives about ICMP traffic and if it is still true these days.
He suggests that firewalls should let all ICMP traffic through and
that there is no real risk if they do that. At
http://snipurl.com/hvox he writes the following section. I have cut
it down a bit.
------------------- START QUOTE -----------------
STEALTH-MODE FIREWALLS CONSIDERED HARMFUL
Some firewalls have a hiding mechanism they call stealth. ... In
stealth mode, the firewall causes the PC just to ignore incoming
connection attempts, rather than rejecting them, as would be normal
for incoming connection attempts to closed ports.
... causes some difficulties. For a start, Internet standard RFC 1122
states categorically about ICMP Echoes (ping):
"184.108.40.206 Echo Request/Reply: RFC-792. Every
host MUST implement an ICMP Echo server function
that receives Echo Requests and sends
corresponding Echo Replies."
So you are strongly advised not to apply stealth techniques to the
A commonly heard objection to allowing ICMP Echo Replies is that it
gives away information to hackers that there is a live connection on
this IP address. Such objections are not well-founded, and can be
There is no evidence in practice that any hacker has been aided by
the presence of an ICMP Echo Reply.
Hackers do not typically write code that tests an address with ICMP
Echo before launching a hostile probe: they always send the hostile
probe directly: either it works or it doesn't, and information from
ICMP adds nothing to the analysis.
------------------- END QUOTE -----------------
So Should a firewall let all ICMP traffic through? Is it ok to do
- » Use How to use the SAME Key for another eMail address ?
- — Previous thread in » General Computer Security