[c-nsp] ICMP filtering policy
John Kristoff
jtk at northwestern.edu
Thu Mar 10 10:27:39 EST 2005
On Thu, 10 Mar 2005 12:51:29 +0200
"M.Palis" <security at cytanet.com.cy> wrote:
> I will like have your suggestion about icmp filtering policy at an ISP
> perimeter network . After some research I figured out that the following
What I prefer to do in most all circumstances is the following:
! allow incoming PING and ICMP-style traceroute
permit icmp any any echo
! allow ICMP reply to PING or ICMP-style traceroute
permit icmp any any echo-reply
! allow parameter problem style error reports
permit icmp any any parameter-problem
! allow TTL expired error report
permit icmp any any time-exceeded
! allow net/host/protocol/port unreachable error report
permit icmp any any unreachable
! deprecated, unnecessary or undesirable
deny icmp any any
John
More information about the cisco-nsp
mailing list