DELETED_5350
- Thread starter DELETED_5350
- Start date
Soldato
- Joined
- 18 Oct 2002
- Posts
- 2,714
I am guessing that you are using NAT on the firewall?
In that case allow all ICMP except echo(but allow echo-reply), timestamp and redirect(unlikey in your case that you would use them) to your firewall.
Outgoing from your network then allow ICMP out for everything redirect and time exceeded. Timestamps should be allowed when sourced from your network but anything requested outside should be blocked.
In that case allow all ICMP except echo(but allow echo-reply), timestamp and redirect(unlikey in your case that you would use them) to your firewall.
Outgoing from your network then allow ICMP out for everything redirect and time exceeded. Timestamps should be allowed when sourced from your network but anything requested outside should be blocked.
Soldato
- Joined
- 18 Oct 2002
- Posts
- 2,714
smoove said:
Incoming : Source any dest any icmp echo-reply.
Source any dest your_fw echo (good idea if your ISP need to
troubleshoot, and is not the end of the world like some would
claim)
MTU path discovery Source any dest any
ICMP unreachable Source any dest any
Outgoing : Source your network/firewall to any timestamp.
TBH ICMP is not a bit issue yes it can be used to probe your network but as its hidden behind a NAT device there isnt much externally visible. It could also be used as part of a DDoS but its unlikely that you would be the target of such an attack and even if this did stop you replying there isnt much you can do about the traffic coming in.
