RE: ICMP types to allow

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

 

> -----Original Message-----
> From: John A. Sullivan III [mailto:jsullivan@xxxxxxxxxxxxxxxxxxx] 
> Sent: Wednesday, December 21, 2005 1:49 PM
> To: Derick Anderson
> Cc: netfilter@xxxxxxxxxxxxxxxxxxx
> Subject: RE: ICMP types to allow
> 
> On Wed, 2005-12-21 at 13:36 -0500, Derick Anderson wrote:
> > After reading the ICMP state machine section of the 
> Netfilter tutorial 
> > 
> [http://iptables-tutorial.frozentux.net/iptables-tutorial.html#ICMPCON
> > NE CTIONS] it appears that ICMP traffic related to existing TCP and 
> > UDP connections falls under the RELATED,ESTABLISHED rules.
> > 
> > So someone correct me if I'm wrong, but this means that any 
> valid ICMP 
> > error message would get picked up by a '-A FORWARD -m state --state 
> > RELATED,ESTABLISHED -j ACCEPT' at the start of the chain, and so (as
> > lst_hoe01 stated) allowing type 8 is all you really need to 
> do, correct?
> > (and a little reading goes a long way... =)
> > 
> > Thanks,
> > 
> > Derick Anderson
> >  
> > 
> Somewhere I recall Microsoft documentation asking that all 
> ICMP traffic be allowed for Active Directory.  I never 
> bothered to find out what exactly was needed and why.  Does 
> anyone know if a properly functioning Active Directory needs 
> anything other than echo? - John
> --
> John A. Sullivan III
> Open Source Development Corporation
> +1 207-985-7880
> jsullivan@xxxxxxxxxxxxxxxxxxx
> 
> If you would like to participate in the development of an 
> open source enterprise class network security management 
> system, please visit http://iscs.sourceforge.net
> 


I think all AD requires is echo request (which is how it "determines"
whether domain controllers, DNS servers, gateways, etc. are up). Block
ICMP echo request at your firewall/gateway and netdiag will be very
unhappy. I don't believe they "require" any other types but you never
know with Microsoft. 

A google for "active directory 2003 icmp required" (no quotes) provides
the official story (the first two hits are hugely long TechNet articles
so search for ICMP within them), which is basically that ICMP echo
request is used by several services to determine whether hosts are up
and for tracert to work, and that Path MTU makes everybody happy.

Hope that helps,

Derick
[Index of Archives]     [Linux Netfilter Development]     [Linux Kernel Networking Development]     [Netem]     [Berkeley Packet Filter]     [Linux Kernel Development]     [Advanced Routing & Traffice Control]     [Bugtraq]

  Powered by Linux