First, let me thank everyone who responded to my previous
question about routers prioritizing control traffic, your
comments were much appreciated.
My next question is about responses to ICMP pings (echo request),
when they return ICMP UNREACHABLE with codes 9,10 or 13.
These codes are defined as follows:
unreachable 9 Communication with Destination Network
is Administratively Prohibited
unreachable 10 Communication with Destination Host
is Administratively Prohibited
unreachable 13 Communication Administratively Prohibited
- generated if a router cannot forward a packet
due to administrative filtering
Responses with these codes seem to imply the presence of a firewall.
Is this assumption correct or are these codes meaningless?
If this a configurable parameter, how to you typically decide what
to set it to?
Thanks!
Christos Papadopoulos
Colorado State University
My next question is about responses to ICMP pings (echo request),
when they return ICMP UNREACHABLE with codes 9,10 or 13.
Responses with these codes seem to imply the presence of a firewall.
Is this assumption correct or are these codes meaningless?
They do have meaning, and you do see them in production (generally in
traceroute responses.) These can indicate the presence of either a
firewall, or an ACL. Both traffic barriers are typically configurable, and
whether or not you get a response is very often dictated by how hardcore
the network engineer or security engineer is about giving up information
about their network.
If this a configurable parameter, how to you typically decide what
to set it to?
See previous comment about relative values of hardcore. Arguably, use of
these options is telling the end user things about your network
configuration, including, very specifically, which device is blocking
their traffic. Depending on your security stance and requirements, this
may be good or bad.
Personally, I simply drop the offending packets into the bitbucket and let
the user wonder.
- billn
Not just firewalls - ACLs on routers, too.
A common practice is to either turn off sending of unreachables or to at least rate-limit them to preserve CPU on the router.