[c-nsp] ICMP filtering policy

lee.e.rian at census.gov lee.e.rian at census.gov
Thu Mar 10 11:02:03 EST 2005


I'd block source-quench; my impression is that it's of marginal utility at
best.  Allowing unreachables in can be helpful in certain situations, the
trade-off being that unreachables can also be used in a DOS attack.

Regards,
Lee


"M.Palis" <security at cytanet.com.cy> wrote on 03/10/2005 05:51:29 AM:

> Hello all
>
>  I will like have your suggestion about icmp filtering policy at an ISP
> perimeter network  . After some research I figured out that the following

> ICMP filtering policy can be well established in an ISP perimeter
network.
> Note that as an ISP we need to have pings and trace routes open and block

> them only for our core IP subnets.
>
>
> deny   icmp any any fragments
>  permit icmp any any packet-too-big
>  permit icmp any any time-exceeded
> permit icmp any any source-quench
>  deny   icmp any *CORE NETWORK Addressess*
>  permit icmp any any traceroute
>  permit icmp any any echo
>  permit icmp any any echo-reply
>  deny   icmp any any
>
>
> Waiting for your  suggestions
>
>
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/



More information about the cisco-nsp mailing list