lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Message-ID: <7568.198.162.158.16.1121206114.squirrel@65.61.200.197> Date: Tue Jul 12 23:09:56 2005 From: eric at arcticbears.com (Eric Paynter) Subject: ICMP Security Vulnerabilities - NEW (cough) On Tue, July 12, 2005 2:42 pm, Vic Vandal said: > 3) [...] > I will acknowledge that the first "widely published" discussion > on the exact topic of ICMP filtering was "probably" in the 1995 > release of "Building Internet Firewalls" (by Chapman and Zwicky). > I had the book in my desk back then, but left it behind when I > left the organization that paid for it. IF I still had it, I'd > gladly quote it directly to verify the exact verbiage/discussion > of the topic therein. I just happen to have "Building Internet Firewalls" on my desk, 2nd Edition published in 2000, I guess updated since your version. Although there is a whole chapter on ICMP filtering, the basic advice for source quench is to allow it, so this particular source still didn't know about the problems in 2000. The only relevant quotes I could find were in Chapter 22: "The other ICMP message types you probably want to allow, both inbound and outbound, are 'source quench' (used by a receiver to tell a sender to 'slow down' because it's sending data too fast) and 'parameter problem'..." p 652 "In general, you want to allow ICMP outbound only when it has the chance of doing you some good. Both 'source quench' and 'parameter problem' are used to get the sending host to be nicer to you and are worth allowing outbound." p 653 And in a summary table for ICMP, under "Permit/Deny", next to "Message Type 4", it says "Should usually be allowed in both directions." p 654 -Eric -- arctic bears - email and dns services http://www.arcticbears.com
Powered by blists - more mailing lists