I'm writing a blurb on ICMP, trying to clarify some of them for
those who can't decode the RFCs. I myself am not sure, so I'd
like to know if any of this is not correct as it relates to a
firewall:
'Certain ICMPs should be let in for more friendly/compliant
servers. Merely blocking ping at the firewall won't keep
your connection from being saturated in a Denial of Service
attack ("ping flood"); you'd need your upstream (ISP) to
filter those instead. If you have no servers running, a
bit more "invisibility" is afforded by disabling all the
incoming, but unRELATED, ICMP messages.'
Then I want to determine what ICMP types to allow into the box:
3 = Dest Unreach (ie "Don't Fragment" is set but needs frag)
4 = Source Quench tells sender to slow down rate to destination
8 = Echo Req for ping (other uses besides checking if online?)
11 = Time Exceed used for traceroute (TTL) or maybe frag pkts
12 = Param Prob is some error or weirdness detected in header
At a bare minimum, we want ping and traceroute to work if they
are initiated from behind the firewall.
I thought I read a while back that Source Quench could somehow
be misused. Also, there was a warning about Time-Exceeded giving
out information on the internal LAN's structure -- but would this
still apply to IP masqueraded machines behind the firewall, that
use non-routable (192.168.0.0/24) addresses?
Anyway, this brings me to the following ruleset. It allows any
ICMP messages to get OUT, and the only ones coming IN are those
established/related. But if there are servers running locally,
certain additional ICMPs ARE allowed in for "netiquette", so to
speak:
$IPT -P INPUT DENY
$IPT -P OUTPUT DENY
$IPT -A INPUT -p icmp -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPT -A OUTPUT -p icmp -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
$IPT -A INPUT -p icmp -i $INT -j ACCEPT # Any type from LAN
if [ $SERVERS = "1" ]
then
$IPT -A INPUT -p icmp --icmp-type 3 -i $EXT -j ACCEPT # Only certain
$IPT -A INPUT -p icmp --icmp-type 4 -i $EXT -j ACCEPT # ones from the
$IPT -A INPUT -p icmp --icmp-type 8 -i $EXT -j ACCEPT # external
$IPT -A INPUT -p icmp --icmp-type 11 -i $EXT -j ACCEPT # interface
$IPT -A INPUT -p icmp --icmp-type 12 -i $EXT -j ACCEPT # ($EXT) fi
$IPT -A INPUT -p icmp -j LOG -m limit --limit 1/s \
--log-level info --log-prefix "**ICMP DROP** " # Log all denied
$IPT -A INPUT -p icmp -j DROP # Drop failed pkts
Any constructive criticism is welcome. I've scoured Google and
can't seem to find any two places that agree what ICMPs are "safe"
to allow in, so if you have a rationale for additional (or fewer)
message types, I'd like to hear it.
Thanks in advance,
Jeff Bonner
PGP/GnuPG ID 0x82FC9EEE
Attachment:
pgpOcJY9jiCbL.pgp
Description: PGP signature