Should I allow this?

Discussion in 'LnS English Forum' started by jon_fl, Jun 16, 2005.

Thread Status:
Not open for further replies.
  1. jon_fl

    jon_fl Registered Member

    Joined:
    Sep 4, 2004
    Posts:
    242
    I get a lot of Type 3 Code 4 in the log that does not allow me to fully open certain web pages. I need to make a rule to allow my computer to receive and to send packets of type 3 Code 4 on ICMP protocol. Any problems with doing this?
     
  2. Thomas M

    Thomas M Registered Member

    Joined:
    Jan 12, 2003
    Posts:
    355
    Sometimes I get an ICMP type:3 code:3, which is a "destination unreachable" response.
    I have never seen"code:4", so I do not know of possible dangers when allowing this type of packets.

    Usually you receice ICMP type 3 logs when for example your DNS server is not responding.

    You could try reading this here below for more information:
    http://www.networksorcery.com/enp/protocol/icmp/msg3.htm

    Thomas
     
  3. Jaws

    Jaws Registered Member

    Joined:
    Apr 4, 2005
    Posts:
    210
    Hi Jon,

    The "correct" configuration of ICMP filters in a firewall is hotly debated. The problem is that ICMP are the "control messages" for TCP/IP. If you block some incoming ICMP, then you will break communication.

    The absolute minimum ICMP traffic to allow is the packets dealing with TCP path MTU discovery. Fragmenting a stream is more efficient at the TCP layer rather than the IP layer, so the TCP layer will try to discover when IP packets are being inadvertently fragmented. They do this by setting the "DF" (Don't Fragment) on all outgoing packets. When a router cannot forward the packet because it is too big, rather than fragmenting it, it sends back a "fragmentation needed" ICMP packet (type=3/code=4). The TCP stack then starts sending smaller IP packets, segmenting the data at the TCP layer rather than allow routers to fragment at the IP layer. Therefore, firewalls must be configured to allow incoming ICMP type=3, code=4 packets.

    Quoted from THIS this web site.

    Regards,

    Jaws
     
Thread Status:
Not open for further replies.