tech-net: Re: SOLVED! The cause of puzzling TCP (eg. WHOIS) connection failures with some InterNIC.net hosts

Subject: Re: SOLVED! The cause of puzzling TCP (eg. WHOIS) connection failures with some InterNIC.net hosts
To: NetBSD Networking Technical Discussion List <tech-net@netbsd.org>
From: Henry Miller <hank@black-hole.com>
List: tech-net
Date: 11/21/1998 23:51:25

On Sat, 21 Nov 1998, Greg A. Woods wrote:

> > Ah, but I think people have to fix the firewalls. Lots and lots of
> > machines are doing PMTU discovery. If you filter all ICMP, well, lots
> > of connections to you are going to lose, not just ours if you have
> > PMTU on.
> Sure, people *should* fix their firewalls.  Commercial firewalls
> probably shouldn't allow such stupid rules to be imposed in the first
> place.

No, there are valid reasons to disable ICMP.  There is NO valid reason to
let anyone adminsiter a firewall who doesn't not understand all the issues
we have talked about.  Administering a firewall is not a set it and leave
it game, it requires attention.  Anyone who sets up a firewall to block
ICMP, and who cannot explain why should be FIRED!  Most of us don't
adminster firewalls for three letter goverment agencys.  (I don't, but
marketing tells me that ICMP filtering is a requirement for such people.
They also understand all of the discussion above)

> However the people feeling the pain of broken PMTUD are often not the
> administrators of the broken firewalls (or even the direct users of the
> broken firewalls).

Once again, there are valid reasons to block ICMP.  If the firewall
administrator has one, then the user is probably attempting something that
should not be attempted, or the administrator will assist the user in
setting up their computer so it can function without ICMP.  If the
administrator does not ahve a vlaid reason to block ICMP, he is obviously
incompentant, and the people affected should start getting their boss to
talk to upper managment and get the incompent fired before a hole in the
firewall costs the company.

> If indeed PMTUD is not robust by design (eg. it permits an intermediate
> party to cause connections to fail) then the protocol is what really
> needs fixing, not the "broken" firewalls.

A broken firewall should be fixed, (if indeed it is borken, I will agree
with anyone who says that there are not many reasons, since there are not
many valid reasons to block ICMP.) that does not mean that any brokenness
if PMTUD should not be fixed.  

For those who wonder why you would want to disable ICMP, consider how easy
it would be to write a program to transfer files from a secure network
to an insecure one, over ICMP.  Given that the user can modify the
operating system, a good bet for a PC, where a person can modify something
at home, burn it to CD, and then start sniffing the network and sending
the result to a foreign country.  I'm willing to be someone on this
mailing list  can do that rather easially if they wanted.  Firewalls to
protect against the above attack must be very tough if they are to connect
to the internet.  They also can't be adminsitered by an idiot, I'm not
entierly sure that anyone on this list can design rules to completely
protect agsint the above while still allowing needed access.

--
      http://blugill.home.ml.org/    
      hank@black-hole.com