Questions about ICMP

John Summerfield debian at herakles.homelinux.org
Fri Dec 7 20:35:17 UTC 2007 

Guy Fraser wrote:
> 
> On 2007-Dec-07, at 09:46, Gordon Messmer wrote:
> 
>> Daniel B. Thurman wrote:
>>> So... am I to read this as it is a good idea to disable all ICMP
>>> requests?  I get a LOT of ICMP requests from the Internet probing
>>> at my ports, which are disabled.  This is a good idea?
>>
>> That's impossible.  UDP ports can only be tested by UDP packets, and 
>> TCP ports can only be tested by TCP packets.  ICMP is a different IP 
>> protocol which doesn't feature numbered ports.  As such, blocking ICMP 
>> won't prevent port scans, it'll just prevent some of your own outbound 
>> connections from working properly.
> 
> If you block ICMP echo reply {ICMP type 0} and ICMP unreachable {ICMP 
> type 3}
> packets from egress {going out from your machine} your machine will not 
> answer
> ping requests {ICMP type 8} or send unreachable messages for ports that 
> do not
> have any listeners running on them, or are blocked. Another good thing 

Why is blocking type 0 good?
Why is blocking type 3 good?


> to block
> is ICMP type 5 which asks the recipient to redirect packets elsewhere.

What's the problem with these?


> 
> Blocking all ICMP can have unintended consequences, but is best if it is
> blocked bidirectionally. Allowing ICMP responses from your machine allows
> the "scanner" to know you are there and which ports are blocked or unused.

dropping packets to protected ports is sufficient to protect them, and 
is established practice.

> 
> I prefer to use a more complicated ICMP blocking ruleset, but no longer
> have a Linux machine to show an example.
> 
> This is the generic part of the ipfw ruleset, I am now using on the OS X
> Leopard machine I got to replace my Fedora Workstation :
> 
> --- snip ---
> # Clear Firewall and start from scratch
> $IPFW -f flush
> 
> # Allow all internal traffic
> $IPFW add 1000 allow ip from any to any via lo0
> 
> # Deny and log spoofed traffic
> $IPFW add 1010 deny log ip from 127.0.0.0/8 to any in
> $IPFW add 1020 deny log ip from any to 127.0.0.0/8 in
> 
> # Deny Multicast packets
> #$IPFW add 1030 deny log ip from 224.0.0.0/3 to any in
> #$IPFW add 1040 deny log tcp from any to 224.0.0.0/3 in

Don't those break Bonjour?

> 
> # Block outgoing ICMP unreachable packets
> $IPFW add 1050 deny icmp from me to any out icmptypes 3
> # Block incoming redirection packets
> $IPFW add 1060 deny icmp from any to me in icmptypes 5
> # Block outgoing echo reply packets
> $IPFW add 1070 deny icmp from me to any in icmptypes 0
> # Block incoming echo request packets
> $IPFW add 1080 deny icmp from any to me in icmptypes 8

Those limit your network functionality for limited (if any gain)

> 
> # Allow other ICMP packets
> $IPFW add 1090 allow icmp from any to any
> 
> # Allow all outbound traffic
> $IPFW add 2000 allow ip from me to any

while, should I manage to install a bot on your system, allow me 
unrestricted access to the world.

I had an incident a couple of years ago where a user's account was 
penetrated and an IRC bot installed, and the system began testing the 
world for other under-secured systems.

My current firewalls restrict access to needed ports, both from the 
Internet to my systems, and from my systems to the Internet.

As I said previously, blocking outgoing ICMP 3 does not prevent my 
connecting to open ports. However, dropping or rejecting my connexion 
requests does do that.

If you have postgresql listening to port 5432 on your public interface 
and you drop outgoing ICMP type 3, then my request to open a connexion 
will succeed. If you don't have postgresql listening to your public 
interface, then my request will time out. This does not prevent my 
testing other ports at the same time if I wish.

With my setup, dropping connexion requests from the Internet to port 
5432, you time out regardless of whether postgresql is running at all.

I could also unconditionally send ICMP 3 to Internet hosts, regardless 
of whether postgresql is running or not.

Probably, the correct response to an unwelcome request is to send ICMP 3 
code 9, but I don't know a reason that it matters if I don't tell the 
untrusted the whole truth.



-- 

Cheers
John

-- spambait
1aaaaaaa at coco.merseine.nu  Z1aaaaaaa at coco.merseine.nu
-- Advice
http://webfoot.com/advice/email.top.php
http://www.catb.org/~esr/faqs/smart-questions.html
http://support.microsoft.com/kb/555375

You cannot reply off-list:-)

More information about the fedora-list mailing list