Cedric Blancher wrote:
It is possible netfilter does this to accomodate bridging setups. Anyone
can comment on this? If this opens up the connection for any other ICMP
traffic, I think that's a bug. But I cannot imagine netfilter does this,
anyone know for sure?
We also have a protocol problem here. However, as Pascal stated before,
you can explicitly deny ICMP redirects.
As a more general matter, ICMP filtering is tricky:
. ICMP filtering can (and do) break connectivity: PPPoE users
with broken PMTUD knows about it...
. ICMP messages authentication is weak.
On one hand we have a protocol we have to implement because we need it
for IP to work smoothly, and on the other hand, it's quite easy to
abuse. And we have to cope with it.
ICMP filtering is not tricky. Just remember the rules.
1) NEVER, EVER, EVER filter out fragmentation needed.
2) You may filter out ping, and the various destination unreachables,
the consequences are yours.
3) Everything else can be filtered without consequences.
If you mean, it is hard for a firewall to filter malicious ICMPs but not
beneign ICMPs, the we agree. I have not heard of an fragmentation needed
attack yet, but I can imagine it happening (analogous to the zero
windowsize attack).
But as Jozsef explained, iptables does check what it is possible, for
the rest we mostly have to live with it.
M4
