|
ICMP-ANY
|
all
|
all
|
ICMP-ANY affects any protocol using ICMP.
Denying ICMP-ANY impairs any attempt to ping or monitor a network
using ICMP.
Permitting ICMP-ANY allows all ICMP messages.
|
|
ICMP-ADDRESS-MASK
|
17
18
|
0
0
|
ICMP address mask query is used for systems that need the local
subnet mask from a bootstrap server.
Denying ICMP address mask request messages can adversely affect
diskless systems.
Permitting ICMP address mask request messages might allow others
to fingerprint the operating system of a host in your network.
|
|
ICMP-DEST-UNREACH
|
3
|
0
|
ICMP destination unreachable error message indicates that the
destination host is configured to reject the packets.
Codes 0, 1, 4, or 5 can be from a gateway. Codes 2 or 3 can
be from a host (RFC 792).
Denying ICMP destination unreachable error messages can remove
the assumption that a host is up and running behind a J-series or
SRX-series device.
Permitting ICMP destination unreachable error messages can allow
some assumptions, such as security filtering, to be made about the
network.
|
|
ICMP Fragment Needed
|
3
|
4
|
ICMP fragmentation error message indicates that fragmentation
is needed but the don't fragment flag is set.
We recommend denying these messages from the Internet to an
internal network.
|
|
ICMP FragmentReassembly
|
11
|
1
|
ICMP fragment reassembly time exceeded error indicates that
a host reassembling a fragmented message ran out of time and dropped
the packet. This message is sometimes sent.
We recommend denying these messages from the Internet (external)
to the trusted (internal) network.
|
|
ICMP-HOST-UNREACH
|
3
|
1
|
ICMP host unreachable error messages indicate that routing table
entries do not list or list as infinity a particular host. Sometimes
this error is sent by gateways that cannot fragment when a packet
requiring fragmentation is received.
We recommend denying these messages from the Internet to a trusted
network.
Permitting these messages allows others to be able to determine
your internal hosts IP addresses by a process of elimination or make
assumptions about gateways and fragmentation.
|
|
ICMP-INFO
|
15
16
|
0
0
|
ICMP-INFO query messages allow diskless host systems to query
the network and self-configure.
Denying ICMP address mask request messages can adversely affect
diskless systems.
Permitting ICMP address mask request messages might allow others
to broadcast information queries to a network segment to determine
computer type.
|
|
ICMP-PARAMETER-PROBLEM
|
12
|
0
|
ICMP parameter problem error messages notify you when incorrect
header parameters are present and have caused a packet to be discarded
We recommend denying these messages from the Internet to a trusted
network.
Permitting ICMP parameter problem error messages allows others
to make assumptions about your network.
|
|
ICMP-PORT-UNREACH
|
3
|
3
|
ICMP port unreachable error messages indicate that gateways
processing datagrams requesting certain ports are unavailable or unsupported
in the network.
We recommend denying these messages from the Internet to a trusted
network.
Permitting ICMP port unreachable error messages can allow others
to determine which ports you use for certain protocols.
|
|
ICMP-PROTOCOL-UNREACH
|
3
|
2
|
ICMP protocol unreachable error messages indicate that gateways
processing datagrams requesting certain protocols are unavailable
or unsupported in the network.
We recommend denying these messages from the Internet to a trusted
network.
Permitting ICMP protocol unreachable Error messages can allow
others to determine what protocols your network is running.
|
|
ICMP-REDIRECT
|
5
|
0
|
ICMP redirect network error messages are sent by a J-series
or SRX-series device.
We recommend denying these messages from the Internet to a trusted
network.
|
|
ICMP-REDIRECT-HOST
|
5
|
1
|
ICMP redirect messages indicate datagrams destined for the specified
host to be sent along another path.
|
|
ICMP-REDIRECT-TOS-HOST
|
5
|
3
|
ICMP redirect type of service (TOS) and host error is a type
of message.
|
|
ICMP-REDIRECT-TOS-NET
|
5
|
2
|
ICMP redirect TOS and network error is a type of message.
|
|
ICMP-SOURCE-QUENCH
|
4
|
0
|
ICMP source quench error message indicates that a device does
not have the buffer space available to accept, queue, and send the
packets on to the next hop.
Denying these messages will not help or impair internal network
performance.
Permitting these messages can allow others to know that a device
is congested, making it a viable attack target.
|
|
ICMP-SOURCE-ROUTE-FAIL
|
3
|
5
|
ICMP source route failed error message
We recommend denying these messages from the Internet (external).
|
|
ICMP-TIME-EXCEEDED
|
11
|
0
|
ICMP time-to-live (TTL) exceeded error message indicates that
a packet's TTL setting reached zero before the packet reached its
destination. This ensures that older packets are discarded before
resent ones are processed.
We recommend denying these messages from a trusted network out
to the Internet.
|
|
ICMP-TIMESTAMP
|
13
14
|
0
0
|
ICMP-TIMESTAMP query messages provide the mechanism to synchronize
time and coordinate time distribution in a large, diverse network.
|
|
Ping (ICMP ECHO)
|
8
|
0
|
Ping is a utility to determine whether a specific host is accessible
by its IP address.
Denying ping functionality removes your ability to check to
see if a host is active.
Permitting ping can allow others to execute a denial-of-service
(DoS) or Smurf attack.
|
|
ICMP-ECHO-FRAGMENT-ASSEMBLY-EXPIRE
|
11
|
1
|
ICMP fragment echo reassembly time expired error message indicates
that the reassembly time was exceeded.
We recommend denying these messages.
|
|
Traceroute
|
30
30
|
0
1
|
Traceroute is a utility to indicate the path to access a specific
host.
We recommend denying this utility from the Internet (external)
to your trusted network (internal).
|
