Date: Tue, 27 Jun 2000 16:57:30 -0700 From: Dragos Ruiu <dr@dursec.com> To: "Rodney W. Grimes" <freebsd@gndrsh.dnsmgr.net>, dmartin@origen.com (Richard Martin) Cc: bartequi@inwind.it (Salvo Bartolotta), freebsd-security@FreeBSD.ORG Subject: Re: icmp type 3 code 4: a couple of questions Message-ID: <00062717070013.00364@smp.kyx.net> In-Reply-To: <200006271818.LAA92561@gndrsh.dnsmgr.net> References: <200006271818.LAA92561@gndrsh.dnsmgr.net>
next in thread | previous in thread | raw e-mail | index | archive | help
On Tue, 27 Jun 2000, Rodney W. Grimes wrote:
> > We use
> >
> > icmpallow="0,3,4,5,8,11,12,14,16,18"
> >
> > I wonder if anyone has any comments on the appropriateness of these
> >
>
> 4=ICMP_SOURCEQUENCH, useless as most machines ignore it, can be
> abused easily.
> 5=ICMP_REDIRECT, you don't want that one can be used to redirect
> traffic to unwanted places.
> 14=ICMP_TSTAMPREPLY, useless without 13=ICMP_TSTAMP.
> 18=ICMP_MASKREPLY, useless without 17=ICMP_MASKREQ
>
> We usually run
> icmpallow="0,3,8,11"
> with special rules to allow 5 on the inside only.
> We don't allow 12, and we don't see hits due to this, except for abuse.
>
> Complete rule set looks like this:
> 01000 23000 1969619 allow icmp from any to any icmptype 0,3,4,8,11
> 01010 0 0 allow icmp from any to any via dc0 icmptype 5
> 01010 0 0 allow icmp from any to any via dc1 icmptype 5
> 01010 0 0 allow icmp from any to any via dc2 icmptype 5
> 01010 0 0 allow icmp from any to any via dc3 icmptype 5
> 01020 0 0 deny log logamount 100 icmp from any to any
>
> (Note that the counts are not very high here, due to data collection
> resetting the rules ever few hour.)
To chorus support of the above...
IMHO The four types of magic ICMP packets to let through a firewall are:
3 - Destination Unreachable - important for many applications
(I haven't seen anyone implement subtype filters yet as
but this may be useful as there is a _lot_ of info to be gleaned
here, and it might be nice to strip some messages out instead
of just letting the whole category through. I'm also wondeing
if anyone ever sees "Host Isolated" messages on their net?)
8 - Echo Request
0 - Echo Reply - ping, traceroute and friends
11 - Time Exceeded - traceroute needs this for sure and maybe
RTT/window estimation and fragmentation need it
The following may also be included in the allow list
but may enable DOS/mapping:
4 - Source Quench
5 - Redirection (suggest blocking but may be important in multi-router env)
12 - Parameter Problem (never ever seen this meself)
Should be Denied/Blocked:
2 - Undefined in rfc792
13 - timestamp request
14 - timestamp reply
15 - Info Request
16 - Info Reply
17 - Address Mask Request
18 - Address Mask Reply
and anything else...
And in case you were wondering about IPv6...from (rfc2463)
it seems like all the crap above has been cleaned up:
ICMPv6 error messages:
1 Destination Unreachable
2 Packet Too Big
3 Time Exceeded
4 Parameter Problem
ICMPv6 informational messages:
128 Echo Request
129 Echo Reply
(Messages 130-132 replace IGMP)
Nice neat and clean....
cheers,
--dr
--
dursec.com ltd. / kyx.net - we're from the future http://www.dursec.com
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?00062717070013.00364>