#Alternative to untangle firewall software#
To be honest it is smart to filter some outbound ICMP both router level and software firewall level as a extra layer of security. But once again, security advocates err on the side of caution, just in case. Currently none exist in any mainstream OSes. Occasionally there's an ICMP related "ping of death" style vulnerability in an OS. But security research tends to err on the side of silence just to be on the safe side, just in case. Maybe the attacker knowing you have a router is something you're worried about, or more likely it's not. If your router sends an ICMP message back to someone, then that someone knows you have a router. Security issues with ICMP tend to be the more nebulous "information disclosure" issues. The network will operate without ICMP-resilience in the face of packet drops is one of IP's core strengths-but it will operate more slowly, less efficiently, and without the benefit of these signals to help you diagnose and solve problems. Other ICMP messages also include destination host unreachable, fragmentation required, congestion control, TTL exceeded, IP protocol errors, and an number of others. Have a look at ICMP on Wikipedia to get a better idea of what it is and what it's for. It's the "meta" protocol that is used to communicate control messages about the network itself. ICMP exists for a reason, and not all of that reason is ping. Blocking ICMP in its entirety is probably not the best idea, but picking and choosing what you block and to/from where probably will get you what you want. Given all that, my advice is, as always, take a measured and thoughtful approach to your protections.
#Alternative to untangle firewall code#
One can use pings to determine if a host is actually on, or Time Exceededs (as part of a traceroute) to map out network architectures, or Rory forbid a Redirect (type 5 code 0) to change the default route of a host.
Reconnaissance is possible with ICMP and that is generally the reason given for blocking. That's not to say that we should necessarily leave everything open for all the world to see. They use ping to determine the "closest" controller and if none respond, then it is assumed that none are close enough.
Path MTU Discovery - We use a combination of the Don't Fragment flag and type 3 code 4 (Destination Unreachable - Fragmentation required, and DF flag set) to determine the smallest MTU on the path between the hosts.In fact there are two (probably more but these are the most obvious to me) very good cases where you don't want to restrict ICMP. 3 - Destination Unreachable (consists of 16 different kinds of messages ranging from reporting a fragmentation problem up to a firewall reporting that a port is closed)īoth of which can be invaluable for keeping non-malicious hosts operating properly on a network.4 - Source Quench (send by a router to ask a host to slow down its transmissions).Let's look at a couple of the other ICMP type that are available. Most of the time when I talk to people about blocking ICMP they're really talking about ping and traceroute. It would be a bit like tacking >/dev/null 2>&1 to the end of all your cron entries. This makes it insanely valuable so a lot of thought needs to into shutting it down. At its core ICMP was designed as the debugging, troubleshooting, and error reporting mechanism for IP. Compared to other IP protocols ICMP is fairly small, but it does serve a large number of disparate functions.
0 kommentar(er)
