On Wed, Apr 25, 2007 at 10:40:45PM +0200, Timo Schoeler wrote:
> On Wed, 25 Apr 2007 20:19:42 +0000 (UTC)
> Tobias Weingartner <[EMAIL PROTECTED]> wrote:
>
> > Chad M Stewart wrote:
> > > On Apr 25, 2007, at 11:05 AM, Allen Theobald wrote:
> > > >
> > > > pass in inet proto icmp all icmp-type $icmp_types keep state
> > >
> > > This can be used as a covert communication channel. Allowing
> > > internal IPs to send/receive ping is bad.
> >
> > Bull. Not allowing ICMP is just as bad. Worse actually, as you
> > are violating RFCs. Quit spreading this FUD.
>
> hi,
>
> actually, me thinks the same about allowing/denying ICMP as you,
> tobias. however, we recently had a CCIE/NSA certified blahblah guy in
> our company, tuning our, err, Cizcoooeee equipment.
>
> guess what he did -- he violated 'the RFCs'.
>
> unfortunately, i wasn't able to find them on the net. do you have them
> handy? i'm very curious about that :)
In general, though, it will almost always be possible to get data in/out
of the network. IP-over-DNS comes to mind. If this particular vector is
used by a widely deployed worm, it might be worth it; but otherwise,
just ignore it.
Do you intend to ask where 'the RFCs' are? (If so, www.ietf.org is a
good choice.) Or in what RFC this particular requirement is? (No real
idea...)
Joachim
--
TFMotD: kadmin (8) - Kerberos administration utility
