[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] RE: [FW1] ICMP redirect
I discuss ICMP Redirects and their risks in my book (Network Application Frameworks, page 129). It is intended for situations where a LAN has more than one connected router, and an IP device such as a workstation is configured to always direct datagrams destined for another IP subnetwork to a single default router on its connected LAN. If this default router recognizes that it does not have the lowest-cost route to the destination, it will inform the workstation via an ICMP redirect packet to send its datagrams to the other IP router on the same IP subnetwork having the lower-cost route. The workstation will extract the IP address of the lower-cost IP router from the ICMP redirect packet, send an ARP request on the LAN to determine the physical address of the lower-cost IP router, and then forward the appropriate datagrams to it. Despite its good intentions, the ICMP redirect feature can present a security risk. If you don't need it, it should be disabled in your routers/network. It can allow a hacker to send phony redirect messages to your routers and workstations, forcing them to route traffic through the hacker's computer. Regards, Eric -----Original Message----- From: [email protected] [mailto:[email protected]] On Behalf Of Reed Mohn, Anders Sent: Tuesday, July 10, 2001 8:53 AM To: Fw-1-Mailinglist (E-mail) Subject: [FW1] ICMP redirect I've already configured our FW to only accept certain ICMP-packets, but what about ICMP redirect ? Is there any compelling reason not to allow this? (apart from the same reasons as for other ICMP packets...) I need to let through ICMP redirect from a specific router, but would like to avoid creating a separate rule for it (my rule base is growing too much..). I'm hoping to get away with just adding it to the my "generally accepted" incoming ICMP-types. Cheers, Anders :) ======================================================================== ======== To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ======================================================================== ======== ================================================================================ To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================================================
|