Re: Blocking ICMP with ipchains

From: Mikael Olsson (mikael.olssonat_private)
Date: Fri Jan 14 2000 - 05:16:10 PST

Next message: John Scheidemantel: "Firewall comparison"

Previous message: Brad Van Orden: "Solaris Configuration List"
Maybe in reply to: wwebbat_private: "Blocking ICMP with ipchains"
Next in thread: Carric Dooley: "Re: Blocking ICMP with ipchains"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

wwebbat_private wrote:
> 
> I've heard that it is not wise to block all ICMP operations.  Such
> being the case, which of these ICMP operations are safe to block
> without causing serious problems:

We have two separate problems here. IN or OUTgoing.
Unusually enough, RECEIVING ICMP errors is safer than SENDING
them, due to "firewalking", a process of discovering which
IP addresses are hidden behind a NAT device, such as a firewall.

> echo-reply (pong)		Safe In, Safe Out
> destination-unreachable       
>    network-unreachable        In
>    host-unreachable           In
>    protocol-unreachable       In
>    port-unreachable           In
>    fragmentation-needed       In
>    source-route-failed
>    network-unknown
>    host-unknown
>    network-prohibited         In
>    host-prohibited            In
>    TOS-network-unreachable
>    TOS-host-unreachable
>    communication-prohibited   In
>    host-precedence-violation
>    precedence-cutoff
> source-quench
> redirect
>    network-redirect
>    host-redirect
>    TOS-network-redirect
>    TOS-host-redirect
> echo-request (ping)           In, Out
> router-advertisement
> router-solicitation
> time-exceeded (ttl-exceeded)  
>    ttl-zero-during-transit      In
>    ttl-zero-during-reassembly   
> parameter-problem
>    ip-header-bad
>    required-option-missing
> timestamp-request
> timestamp-reply
> address-mask-request
> address-mask-reply
> 

Allowing pingreqs to your inside depends on your security policy.
It might help hackers in finding what machines are "up", but it
might also help people do legimitate things.
A lot of people choose to disallow inbound pingreqs.

The reason you often do not wish to allow outbound ICMP errors
such as destination unreachable is, as I said, that you'll
be leaking protected addresses.
If you are not NATing your protected network, this is not an issue.

Some of the codes/types that I've left blank are due to 
real security hazards (primarily redirect), but others
are due to the fact that they're simply not part of normal
communications, and the less that you let in, the better.

Hope this helps

/Mike

Oh and BTW: You might hear rumours about trojans communicating
over ICMP.... So what? They communicate over DNS and HTTP too,
and you're not blocking those, are you? Trojans are better
defended against at host level and by having half a brain (IMHO).

-- 
Mikael Olsson, EnterNet Sweden AB, Box 393, S-891 28 ÖRNSKÖLDSVIK
Phone: +46 (0)660 105 50           Fax: +46 (0)660 122 50
Mobile: +46 (0)70 248 00 33
WWW: http://www.enternet.se        E-mail: mikael.olssonat_private

Next message: John Scheidemantel: "Firewall comparison"
Previous message: Brad Van Orden: "Solaris Configuration List"
Maybe in reply to: wwebbat_private: "Blocking ICMP with ipchains"
Next in thread: Carric Dooley: "Re: Blocking ICMP with ipchains"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 13:57:36 PDT