Questions about ICMP
Lamar Owen
lowen at pari.edu
Thu Dec 6 14:08:56 UTC 2007
On Wednesday 05 December 2007, Daniel B. Thurman wrote:
> Should ICMP packets be allowed both over the
> Internet or should it be allowed to pass only in
> the local networks?
If you blanket block all ICMP, you break many parts of the TCP/IP protocol.
You lose:
1.) The ability for you to ping anything (ICMP Echo Reply)
2.) Path MTU discovery (ICMP type 3 (Destination unreachable) code 4 )
3.) The ability to know a destination is not reachable (is your yum taking too
long? Perhaps you're blocking ICMP type 3!)
Read the list of ICMP types and see what you might break. The list is at
http://www.iana.org/assignments/icmp-parameters
ICMP is called the 'internet control message protocol' for a reason.
Now, blocking ICMP types 4 and 5 might be useful, and blocking several
experimental types might be useful, but you certainly don't want to block
types that are necessary for proper network functionality. Otherwise your
connectivity will be broken (blocking type 11, for instance, can have
interesting ramifications). Blocking type 4 can cause problems with QoS in
some implementations, too.
Again, ICMP exists for a very valid reason. Blocking ICMP does not make you
more secure, either. It will make it slightly more difficult for an attacker
to find you, but only slightly.
See http://www.faqs.org/faqs/computer-security/most-common-qs/section-18.html
for more. See the parent FAQ of that question, too.
Also, as a point of information, there is no such thing as 'The Internet'
anyway. There is a conglomeration of interconnected networks, each with
their own 'junk,' that agree to connect and pass traffic. It is a VERY loose
conglomeration; just follow some of the depeering discussions on NANOG for a
while.
--
Lamar Owen
Chief Information Officer
Pisgah Astronomical Research Institute
1 PARI Drive
Rosman, NC 28772
(828)862-5554
www.pari.edu
More information about the fedora-list
mailing list