Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
474
Views
0
Helpful
1
Replies

Should I open up ICMP Unreachables for rfc1191?

dlac455
Level 1
Level 1

‎01-10-2002 08:01 AM - edited ‎03-08-2019 09:32 PM

After upgrading PIX to 6.1.1, I noticed:

Jan 10 09:30:25 10.10.0.1 Jan 10 2002 09:30:01: %PIX-3-106014: Deny inbound icmp src outside:xx.xx.xx.xx dst perimeter1:xx.xx.xx.xx(type 3, code 4)

Is this rfc1191 traffic coming back?

Am I going to have to open everything up to ICMP Unreachables to accommodate rfc1191?

Labels:
0 Helpful
1 Reply 1

rrbleeker
Level 1
Level 1

‎01-14-2002 08:16 AM

Depends on what you consider important or a security violation. I have several customers who decided not to allow ICMP through the firewall. Sofar it hasn't given them significant problems.

You can filter ICMP traffic by type, but (alas) not by code. This would make the decision to allow some unreachable messages through and not others.

0 Helpful
Customers Also Viewed These Support Documents