I'm writing a blurb on ICMP, trying to clarify some of them for those who can't decode the RFCs. I myself am not sure, so I'd like to know if any of this is not correct as it relates to a firewall: 'Certain ICMPs should be let in for more friendly/compliant servers. Merely blocking ping at the firewall won't keep your connection from being saturated in a Denial of Service attack ("ping flood"); you'd need your upstream (ISP) to filter those instead. If you have no servers running, a bit more "invisibility" is afforded by disabling all the incoming, but unRELATED, ICMP messages.' Then I want to determine what ICMP types to allow into the box: 3 = Dest Unreach (ie "Don't Fragment" is set but needs frag) 4 = Source Quench tells sender to slow down rate to destination 8 = Echo Req for ping (other uses besides checking if online?) 11 = Time Exceed used for traceroute (TTL) or maybe frag pkts 12 = Param Prob is some error or weirdness detected in header At a bare minimum, we want ping and traceroute to work if they are initiated from behind the firewall. I thought I read a while back that Source Quench could somehow be misused. Also, there was a warning about Time-Exceeded giving out information on the internal LAN's structure -- but would this still apply to IP masqueraded machines behind the firewall, that use non-routable (192.168.0.0/24) addresses? Anyway, this brings me to the following ruleset. It allows any ICMP messages to get OUT, and the only ones coming IN are those established/related. But if there are servers running locally, certain additional ICMPs ARE allowed in for "netiquette", so to speak: $IPT -P INPUT DENY $IPT -P OUTPUT DENY $IPT -A INPUT -p icmp -m state --state ESTABLISHED,RELATED -j ACCEPT $IPT -A OUTPUT -p icmp -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT $IPT -A INPUT -p icmp -i $INT -j ACCEPT # Any type from LAN if [ $SERVERS = "1" ] then $IPT -A INPUT -p icmp --icmp-type 3 -i $EXT -j ACCEPT # Only certain $IPT -A INPUT -p icmp --icmp-type 4 -i $EXT -j ACCEPT # ones from the $IPT -A INPUT -p icmp --icmp-type 8 -i $EXT -j ACCEPT # external $IPT -A INPUT -p icmp --icmp-type 11 -i $EXT -j ACCEPT # interface $IPT -A INPUT -p icmp --icmp-type 12 -i $EXT -j ACCEPT # ($EXT) fi $IPT -A INPUT -p icmp -j LOG -m limit --limit 1/s \ --log-level info --log-prefix "**ICMP DROP** " # Log all denied $IPT -A INPUT -p icmp -j DROP # Drop failed pkts Any constructive criticism is welcome. I've scoured Google and can't seem to find any two places that agree what ICMPs are "safe" to allow in, so if you have a rationale for additional (or fewer) message types, I'd like to hear it. Thanks in advance, Jeff Bonner PGP/GnuPG ID 0x82FC9EEE
Attachment:
pgpOcJY9jiCbL.pgp
Description: PGP signature