ICMP blocking, bad idea or security improvement?

Discussion in 'other firewalls' started by mack_guy911, Aug 24, 2007.

Thread Status:
Not open for further replies.
  1. mack_guy911

    mack_guy911 Registered Member

    Joined:
    Mar 21, 2007
    Posts:
    2,677
  2. lucas1985

    lucas1985 Retired Moderator

    Joined:
    Nov 9, 2006
    Posts:
    4,047
    Location:
    France, May 1968
    I agree 100 % with the arguments exposed by Matousec.
     
  3. Climenole

    Climenole Look 'n' Stop Expert

    Joined:
    Jun 3, 2005
    Posts:
    1,640
    Hi mack_guy911 :)

    They write:

    « Is this a security improvement? No! In fact disabling ICMP can only cause problems. There is no known bug in implementation of ICMP handling on current versions of major operating systems including Microsoft Windows. There is no sensitive information provided by standard ICMP handlers and thus it has no security impact to leave your machine response to ICMP correctly. »

    Totally stupid. :mad:

    The purpose of the ICMP is to inform network administrator of some events in the network: Local network AND Internet ...

    Let's talk about Internet since it's not a safe place compare to a home LAN (I'm not discussing corporate LAN here.)

    One of the best protection against malicious attemps against your computer is to keep it stealth. Stealth means that your computer never give any feed-back to unsollicited packets of any kind and this included ICMP Types/Codes.

    With a stealth computer the IP address corresponding to this computer is "mute" : is this an IP used by a PC or not? There is no possibility to have an answer ... No feed-back answer to unsollicited TCP, UDP. IGMP, ICMP. Period.

    A PC responding to an unsollicitated ICMP actually provided to the source of this packet a sensitive information: somebody is there: this IP addr. is related to an active computer.

    No bug in ICMP implemetation? Wrong! Here an example: http://kerneltrap.org/node/5382

    No impact leaving ICMP respond "correctly" ? What is a "correct" answer please? Any answer to unsollicitated ICMP packets ? Totally absurd!

    Heres the correct way to implement ICMP over Internet in your firewall:

    Authorise Type 8 code 0 outgoing only (echo)
    Authorise Type 0 code 0 incoming only (echo respond)
    Authorise Type 11 code 0 incoming only (timeout) used by trace route

    Block incoming and outgoing all the other type/code of the ICMP.

    PERIOD.


    I challenge anybody to prove here that this setup for ICMP cause any problem to a PC connected to Internet. I'm waiting ! :shifty:

    Is it true that Matousec is related in some way to Comodo, now a firewall provider and formally a spyware provider... Is it true also that Comodo phone home ?

    Don't only focus to leak test: check with packet sniffer what this FW send over the internet. (May be not only ICMP packets...)

    I confess I have a very bad feeling about this Comodo / Matousec bunch...

    May be I'm wrong but... I'm an "Old Monkey".
    When it's too good to be true.. hmmm hmmm... :eek:

    :cautious:
     
    Last edited by a moderator: Aug 25, 2007
  4. Pedro

    Pedro Registered Member

    Joined:
    Nov 2, 2006
    Posts:
    3,502
    When you erase this, i'll erase my post. Until then, i have to say i'm disappointed.
     
  5. lucas1985

    lucas1985 Retired Moderator

    Joined:
    Nov 9, 2006
    Posts:
    4,047
    Location:
    France, May 1968
    How is this a security problem? Stealth status adds nothing to security, IMO.
    Right :)
     
  6. Climenole

    Climenole Look 'n' Stop Expert

    Joined:
    Jun 3, 2005
    Posts:
    1,640
    Hi Pedro :)

    No Sir.
    I will not erase this post.
    The information about ICMP on the matousec web site is misleading and drive me totally furious. :mad:

    And about Comodo I still have some doubt.
    This prove nothing pro or cons but I believed this FW must be checked in depth.
     
  7. Pedro

    Pedro Registered Member

    Joined:
    Nov 2, 2006
    Posts:
    3,502
    I'm not refering to Matousec, your post is just fine (it's your opinion) until the Comodo part. Unless you have something to show us, don't say that. Coming form a "Look 'n' Stop Expert", this gives the wrong impression too.

    I think you have much to share, you have contributed always in a positive way, and people learn from you. I think this is not good.
    Am i saying i'm a better man? Hell no, i also make big mistakes, i'm saying that i appreciate all you've done here, and i don't want to read this from you of all people, unless backed up.
     
  8. Seer

    Seer Registered Member

    Joined:
    Feb 12, 2007
    Posts:
    1,596
    Location:
    Singidunum
    Hello lucas :)

    I agree, on closed ports, no. But when a port is opened (a process/service listening) it may be a good idea to have it stealthted, as it will give a small degree of better protection. But basically you are right, stealthed port with listening process aren't really "invisible". ;)

    Hello Climenole.

    You do have your way with posting, don't you? :D
    I had (and still have) the exact same feeling :cool: But I'll say no more, or I too will be promptly blanked by fans of both C & M... as I have been before.

    Cheers :)
     
  9. Pedro

    Pedro Registered Member

    Joined:
    Nov 2, 2006
    Posts:
    3,502
    The fans argument, of course, how could i forget.. My time here is coming to an end.
    Why is the fans argument ridiculous: you're saying the firewall i use on XP phones home, not only that, that they used to make spyware !! , and provide no proof. Nothing to do with fans, but with FUD about my firewall installed right now.
     
  10. Alphalutra1

    Alphalutra1 Registered Member

    Joined:
    Dec 17, 2005
    Posts:
    1,160
    Location:
    127.0.0.0/255.0.0.0
    Climenole, I have one quick question. If you are such an advocate of "stealth", then why do you suggest allowing some forms of ICMP? Wouldn't that eradicate the argument that if you don't respond there is no pc there? I don't think the non-existence of a computer is quite the point of "stealth" (or shall we use "filtered" or "dropped" since that is a much better and more accurate term).

    By the way, I am not a proponent of stealth, and I prefer to return a port closed message instead of merely dropping the packets. However, each approach has pros and cons, and since I am not really worried with any huge DDoS being mounted against my personal computer, I am not going to worry about saturation of my upload bringing down my internet connection. But for those with this problem, then there is an advantage to just dropping the packets, with hope that your CPU and downstream can keep up as well :p .

    Cheers,

    Alphalutra1
     
  11. mack_guy911

    mack_guy911 Registered Member

    Joined:
    Mar 21, 2007
    Posts:
    2,677
    hi Climenole,Pedro and Seer

    thanks again for you reviews i also feel some thing strange about company C AND Mr.M

    and regarding calling home i bet outpost also call home through agnitum improvenet....LOL
     
  12. Seer

    Seer Registered Member

    Joined:
    Feb 12, 2007
    Posts:
    1,596
    Location:
    Singidunum
    Hello :)

    Pedro buddy, I know you're not addressing me, as I didn't said that... ;)

    EDIT:

    What on earth do you mean by this? o_O :)
     
    Last edited: Aug 24, 2007
  13. Climenole

    Climenole Look 'n' Stop Expert

    Joined:
    Jun 3, 2005
    Posts:
    1,640
    Hi Pedro :)

    But Pedro: I have that feeling about Comodo (and ZA btw...)
    Nothing else... I say that's prove nothings...

    And I'm not the first one asking question in public about this...

    For the "Title": I don't care of this and I hope you do the same.
    I'm also a MS MVP: I prefer to keep silence on this.

    Be sure I'm not bashing any firewall to push LnS in any way.

    Just check the posts here: when a WS Forum ask question about which FW to choose,
    I always closed my big mouth by respect for the users and because I'm identify with LnS...

    Poeple have the right to choose the FW who fit to their needs and wishes. Any.


    I'm not a perfect man and do not overestimate me please.

    (Overestimate ? hmmm is it the correct english word? :rolleyes:
    I don't care: this is a new word I created today :mad: )

    I'm barking not bitting. *puppy*

    Keep smile.

    :)
     
  14. sukarof

    sukarof Registered Member

    Joined:
    Jun 22, 2004
    Posts:
    1,714
    Location:
    Stockholm Sweden
    I´have read your posts about networking and I respect your knowledge and try to follow your advices when you talk about Look´n´stop (the firewall that I use), but "having doubts" and "bad feelings" about comodo doesnt say anything. Others have also said that comodo must be doing something bad because they offer a decent firewall for free, but no one have yet put their money where their mouth is.

    Wouldnt it be a breeze for you, with all your knowledge about networking, to find the evil stuff that comodo "must" do? "feelings" and "doubts" doesnt prove anything, every one has them. I have my "feelings" and "doubts" about Norton and FBI, but no one wont believe me because all I have is some internet pages. I would just look like silly conspiracy theorist if I kept on nagging about Nortons connections without any proof.
    Please do some sniffing on comodo traffic and report back what you find. When you find it, Comodo will be out of business and you will be famous. No doubt many will start looking at Look´n´stop instead.
     
  15. Pedro

    Pedro Registered Member

    Joined:
    Nov 2, 2006
    Posts:
    3,502
    I don't think that either. But i could have a feeling it's exactly that. See where i'm getting at?
    I can link you to a recent post. I don't presume you do it on purpose, but there it is.
    This is who i think you are ;) . A good person. I can make all my posts go away, as i said. I don't enjoy this either.
     
  16. Stem

    Stem Firewall Expert

    Joined:
    Oct 5, 2005
    Posts:
    4,948
    Location:
    UK
    I have done this many, many times, and also ran comodo for a number of weeks simply to attempt to find any unauthorized connections. I have found nothing.

    @Climenole,
    You are posting FUD concerning Comodo and this "relationship" between comodo and Matousec, either put up (proof of this) or shut up.
     
  17. Pedro

    Pedro Registered Member

    Joined:
    Nov 2, 2006
    Posts:
    3,502
    Missed this post,
    Seer, sorry, the post you quoted certainly makes that impression.
    Probably just another rash statement. It's hard not to reply, and i get irritated over a forum post. Go figure.
     
  18. Climenole

    Climenole Look 'n' Stop Expert

    Joined:
    Jun 3, 2005
    Posts:
    1,640
    Hi Stern

    I don't trust a company making this:
    http://www.ca.com/us/securityadvisor/pest/pest.aspx?id=453074930

    and a firewall...

    And I don't shut my big mouth.
     
  19. Climenole

    Climenole Look 'n' Stop Expert

    Joined:
    Jun 3, 2005
    Posts:
    1,640
    Hi Pedro :)

    This:
    http://www.ca.com/us/securityadvisor/pest/pest.aspx?id=453074930

    How the same poeple can make a spyware "toolbar" and in the same time make a firewall to protect user ... o_O

    How it's possible to trust these guy?

    I still have a bad feeling. That's hurt believers ? Fine: Good bye !

    Period.

    :(
     
    Last edited: Aug 24, 2007
  20. Stem

    Stem Firewall Expert

    Joined:
    Oct 5, 2005
    Posts:
    4,948
    Location:
    UK
    I remember this,.... and looking into this,.... and the reasons it was added..., and then these "spyware" programs then removed this from their lists.

    I have noticed
     
  21. Pedro

    Pedro Registered Member

    Joined:
    Nov 2, 2006
    Posts:
    3,502
    Climenole, researching provides me another answer.
    First time i searched this, took me 1 minute. I wasn't aware of the issue, and the fact that it's buried already..
     
  22. Phant0m

    Phant0m Registered Member

    Joined:
    Jun 7, 2003
    Posts:
    3,684
    Location:
    Canada
    There's advantages and disadvantages to blocking different ICMP packets, to what extent depends on some things, Workstation or Server? Networking? Software used?

    Matousec boldly mentions "Attacking software is usually implemented to attack services on their TCP and UDP ports directly without checking whether the host is alive using pings.", this is accurate statement, but for instances, LAN attacks, regardless the machines count, PINGs followed by attacks are fairly common from my observations.

    ICMP can be taking advantage of, one example is the ICMP Tunneling http://www.phrack.org/issues.html?issue=49&id=6&mode=txt ...

    And what about the old +++ATH0 exploit? http://www.securityspace.com/smysecure/catid.html?id=10020

    And more ways of being misused, ICMP: Smurf DoS https://services.netscreen.com/restricted/sigupdates/nsm-updates/HTML/ICMP:EXPLOIT:LAN-SMURF.html

    And Climenole have already posted URL for others...


    Regarding invisibility, I rather have invisibility then visibility, I seen many cases where visibility lead to more curiosity, invisibility however indicates protected / firewalled user, meaning to most, usually a complete waste of time and resources unless user specifically targeted, then more dedication and time can very well be spent regardless.


    As for Comodo PF and it's reputation, I have followed back in 2006 the topic 'Is Trusttoolbar Spyware?' on the COMODO forum (follow the the link in Pedro post #21), and I have to say, I'm one of many who believes what's being said by Melih. Melih has to much to loose, and everyone knows, and this is why COMODO being examined on a daily-bases by skilled folks in hopes of bringing COMODO down. If COMODO has ANY unusual activity, we here be among the first to know, and surely by now!!
     
  23. Climenole

    Climenole Look 'n' Stop Expert

    Joined:
    Jun 3, 2005
    Posts:
    1,640
    Hi Pedro :)

    I read this too...

    trust toolbar is not a spyware ? And who answer to this question:

    Melih
    Comodo's Hero
    Administrator
    Comodo's Hero

    :shifty:


    CastleCops:
    http://www.castlecops.com/atxlist-786.html

    They are wrong too ?

    Have a Nice week end.

    :)
     
  24. Climenole

    Climenole Look 'n' Stop Expert

    Joined:
    Jun 3, 2005
    Posts:
    1,640
    Hi Phant0m :)

    First thank you for your post. (I feel a bit less alone...)

    I hope this is true and there's nothings wrong with this FW.

    (Still have the same "feeling" for that one and ZA. May be I'm now a paranoiac and a security nut. This happen sometimes ... ;-)

    Have a nice week end.

    :)
     
  25. ggf31416

    ggf31416 Registered Member

    Joined:
    Aug 20, 2006
    Posts:
    314
    Location:
    Uruguay
Loading...
Thread Status:
Not open for further replies.