ICMP firewalling on today's internet

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Antony@xxxxxxxxxxxxxxxxxxxx said:
> You should certainly allow ICMP through if you want traceroute to work, and 
> you should generally allow ICMP if you want many other things to work.   If 
> you want to block certain types of ICMP, that's fine (many people do), but 
> don't block all ICMP.

Speaking of which, what's the consensus on appropriate ICMP filtering?
Obviously you don't want to filter everything. But some types of ICMP
are really archaic, and not of use anymore. (source quench? redirect?
address mask request? Does anyone use these today? Were they ever in
widespread use?)

And common stuff (like echo/echo reply) is abused by various malware,
and should possibly be rate-limited. 

But looking down the list of icmp types
(http://www.iana.org/assignments/icmp-parameters), there are several I'm
not sure how to handle.

For a small site's common connection-tracking border firewall, for
example, how are the following actions?

]   0	Echo Reply				 [RFC792]

legitimate replies should be allowed in by ESTABLISHED (or RELATED?),
otherwise block in both INPUT and FORWARD.

]   1	Unassigned				    [JBP]
]   2	Unassigned				    [JBP]

block in both INPUT and FORWARD, with rate-limited logging?

]   3	Destination Unreachable			 [RFC792]

legitimate replies should be allowed in by ESTABLISHED (or RELATED?),
otherwise block in both INPUT and FORWARD.

]   4	Source Quench			 	 [RFC792]
]   5	Redirect				 [RFC792]
]   6	Alternate Host Address			    [JBP]
]   7	Unassigned				    [JBP]

block in both INPUT and FORWARD, with rate-limited logging?

]   8	Echo					 [RFC792]

allow both INPUT and FORWARD, but rate-limited

]   9	Router Advertisement			[RFC1256]
]  10	Router Solicitation			[RFC1256]

don't know about these. They don't seem to be commonly used.

]  11	Time Exceeded				 [RFC792]
]  12	Parameter Problem			 [RFC792]
]  13	Timestamp				 [RFC792]
]  14	Timestamp Reply				 [RFC792]
]  15	Information Request			 [RFC792]
]  16	Information Reply			 [RFC792]
]  17	Address Mask Request                     [RFC950]
]  18	Address Mask Reply			 [RFC950]

do any of these crop up much?

]  19	Reserved (for Security)			   [Solo]
]  20-29	Reserved (for Robustness Experiment)	    [ZSu]

probably shouldn't be seeing these.  block in both INPUT and FORWARD,
with rate-limited logging.

]  30	Traceroute				[RFC1393]

allow outgoing?

]  31	Datagram Conversion Error		[RFC1475]
]  32     Mobile Host Redirect              [David Johnson]
]  33     IPv6 Where-Are-You                 [Bill Simpson]
]  34     IPv6 I-Am-Here                     [Bill Simpson]
]  35     Mobile Registration Request        [Bill Simpson]
]  36     Mobile Registration Reply          [Bill Simpson]
]  37     Domain Name Request                     [RFC1788]
]  38     Domain Name Reply                       [RFC1788]
]  39     SKIP                                    [Markson]
]  40     Photuris                                [RFC2521]
]  41-255 Reserved				    [JBP]

no idea about these either.

So what would a good starting point for a good, but not heavy-handed,
iptables icmp filter look like? maybe something like this (untested):

	iptables -N icmp
	iptables -A icmp -m state --state ESTABLISHED,RELATED -j ACCEPT
	iptables -A icmp -i $INTERNAL_IFACE -p icmp --icmp-type echo-request -j ACCEPT
	iptables -A icmp -i $INTERNAL_IFACE -p icmp --icmp-type 30 -j ACCEPT
	iptables -A icmp -j LOG --log-prefix "iptables bad-icmp: " -m limit --limit 10/second
	iptables -A icmp -j DROP

	iptables -I INPUT -p icmp -j icmp
	iptables -I FORWARD -p icmp -j icmp

Are there more types that should be let through?

Jason



[Index of Archives]     [Linux Netfilter Development]     [Linux Kernel Networking Development]     [Netem]     [Berkeley Packet Filter]     [Linux Kernel Development]     [Advanced Routing & Traffice Control]     [Bugtraq]

  Powered by Linux