For starters, I do have to agree that allowing ICMP is a mistake on a "good"
firewall... ICMP is the best way to determine the internal structure of a
private network. I'm sure I'm not mentioning other reasons why allowing
ICMP is bad, but one should be enough for that point; I'll let others
elaborate if needed.

Also, I was reading up on PMTUD and, from what I can see, all it does is aim
to avoid fragmentation by plotting the shortest path from one point to
another, thus preventing the packet from degrading. However, this makes me
raise two questions, the second of which I am more sure about than the
first: (1) Isn't PMTUD something that can be rendered unneeded by using
port forwarding and static routes for traffic destined for each collision
domain? I mean, yeah, it probably means more work for the person
administering the network, but is it not possible to just use some common
sense in creating the routing table? (2) If PMTUD is such a big concern as
to make someone wish to allow ICMP, then why not just block certain types of
ICMP packets using an access-list?

Isaac Van Name

-----Original Message-----
[] On Behalf Of Patrick
M. Hausen
Sent: Monday, August 21, 2006 3:11 AM
To: Firewall Wizards Security Mailing List
Subject: Re: [fw-wiz] How automate firewall tests

Hi, all!

On Fri, Aug 18, 2006 at 10:26:53AM -0700, Shahin Ansari wrote:

> The doco above says no good firewall should allowe ICMP, ...

Then this document is plainly wrong, IMHO. Which one were you
referring to?

Blocking ICMP completely breaks PMTUD. Which leads to all
sorts of "funny" breakage from the end users point of view.

-- GmbH Internet - Dienstleistungen - Beratung
Vorholzstr. 25 Tel. 0721 9109 -0 Fax: -100
76137 Karlsruhe
firewall-wizards mailing list

firewall-wizards mailing list