Questions about ICMP

Guy Fraser guy at incentre.net
Fri Dec 7 18:10:54 UTC 2007 

On 2007-Dec-07, at 09:46, Gordon Messmer wrote:

> Daniel B. Thurman wrote:
>> So... am I to read this as it is a good idea to disable all ICMP
>> requests?  I get a LOT of ICMP requests from the Internet probing
>> at my ports, which are disabled.  This is a good idea?
>
> That's impossible.  UDP ports can only be tested by UDP packets, and  
> TCP ports can only be tested by TCP packets.  ICMP is a different IP  
> protocol which doesn't feature numbered ports.  As such, blocking  
> ICMP won't prevent port scans, it'll just prevent some of your own  
> outbound connections from working properly.

If you block ICMP echo reply {ICMP type 0} and ICMP unreachable {ICMP  
type 3}
packets from egress {going out from your machine} your machine will  
not answer
ping requests {ICMP type 8} or send unreachable messages for ports  
that do not
have any listeners running on them, or are blocked. Another good thing  
to block
is ICMP type 5 which asks the recipient to redirect packets elsewhere.

Blocking all ICMP can have unintended consequences, but is best if it is
blocked bidirectionally. Allowing ICMP responses from your machine  
allows
the "scanner" to know you are there and which ports are blocked or  
unused.

I prefer to use a more complicated ICMP blocking ruleset, but no longer
have a Linux machine to show an example.

This is the generic part of the ipfw ruleset, I am now using on the OS X
Leopard machine I got to replace my Fedora Workstation :

--- snip ---
# Clear Firewall and start from scratch
$IPFW -f flush

# Allow all internal traffic
$IPFW add 1000 allow ip from any to any via lo0

# Deny and log spoofed traffic
$IPFW add 1010 deny log ip from 127.0.0.0/8 to any in
$IPFW add 1020 deny log ip from any to 127.0.0.0/8 in

# Deny Multicast packets
#$IPFW add 1030 deny log ip from 224.0.0.0/3 to any in
#$IPFW add 1040 deny log tcp from any to 224.0.0.0/3 in

# Block outgoing ICMP unreachable packets
$IPFW add 1050 deny icmp from me to any out icmptypes 3
# Block incoming redirection packets
$IPFW add 1060 deny icmp from any to me in icmptypes 5
# Block outgoing echo reply packets
$IPFW add 1070 deny icmp from me to any in icmptypes 0
# Block incoming echo request packets
$IPFW add 1080 deny icmp from any to me in icmptypes 8

# Allow other ICMP packets
$IPFW add 1090 allow icmp from any to any

# Allow all outbound traffic
$IPFW add 2000 allow ip from me to any

# specific access control rules below
--- snip ---

I know these are not directly useful, but do provide a basis for a
reasonable ruleset.

More information about the fedora-list mailing list