Re: Ok to let all ICMP traffic through firewall?

Mike Civil wrote:

> In article <MPG.1da0ce0767ee57f198a124@news-server.columbus.rr.com>,
> Leythos <void@nowhere.lan> wrote:
>
>>Errors are not fixed by ICMP and are not going to cause a failure in
>>communications. You can still get the data.
>
>
> What the hell are you talking about, or are you being deliberately
> obtuse? At some time in the future your company may be in a position
> where data isn't getting through because of a problem in the intervening
> path, and the the only way an intermediate device can advise you of the
> reason is by sending ICMP. Which it sounds like you are filtering out.
>
> Mike

A problem with an upstream route or router is in what is called an SEP
field: Someone Else's Problem. There is no way you could do anything
yourself to fix it as you don't have access. I have been in exactly the
situation you describe (random routing dropouts in a VPN path) and the
SEP rule applied. The solution was to contact the ISP that owned the box
(the E in SEP) and have them fix it.

The cause in this instance was a box on the border of 2 network types
(ADSL and VDSL) stopping routing properly between the 2 networks
whenever a techo from the VDSL backbone provider logged in to it.

The diagnosis for this obviously required echo replies back in. Also
having traceroute data for the path most traffic would take under normal
circumstances recorded to enable future diags. I basically rang the ISP
involved and said traffic from A to B is failing between boxes X and Y.

My understanding of Leythos' statements is that ICMP is allowed between
those he trusts, outbound is allowed, but unsolicited inbound from every
other sod on the planet is dropped. Which seems normal to me.

Interestingly enough, after the Welchia type worms that came out most,
if not all, ISP's blocked pings going into and out of their network
ranges in this country. Tracert is also badly affected, which makes
diagnostics a nightmare at times.
E.
Received on Sat Oct 15 04:35:30 2005