[c-nsp] ICMP filtering policy
lee.e.rian at census.gov
lee.e.rian at census.gov
Thu Mar 10 11:02:03 EST 2005
I'd block source-quench; my impression is that it's of marginal utility at
best. Allowing unreachables in can be helpful in certain situations, the
trade-off being that unreachables can also be used in a DOS attack.
Regards,
Lee
"M.Palis" <security at cytanet.com.cy> wrote on 03/10/2005 05:51:29 AM:
> Hello all
>
> I will like have your suggestion about icmp filtering policy at an ISP
> perimeter network . After some research I figured out that the following
> ICMP filtering policy can be well established in an ISP perimeter
network.
> Note that as an ISP we need to have pings and trace routes open and block
> them only for our core IP subnets.
>
>
> deny icmp any any fragments
> permit icmp any any packet-too-big
> permit icmp any any time-exceeded
> permit icmp any any source-quench
> deny icmp any *CORE NETWORK Addressess*
> permit icmp any any traceroute
> permit icmp any any echo
> permit icmp any any echo-reply
> deny icmp any any
>
>
> Waiting for your suggestions
>
>
> _______________________________________________
> cisco-nsp mailing list cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
More information about the cisco-nsp
mailing list