Guy Fraser wrote:
On 2007-Dec-07, at 09:46, Gordon Messmer wrote:
Daniel B. Thurman wrote:
So... am I to read this as it is a good idea to disable all ICMP
requests? I get a LOT of ICMP requests from the Internet probing
at my ports, which are disabled. This is a good idea?
That's impossible. UDP ports can only be tested by UDP packets, and
TCP ports can only be tested by TCP packets. ICMP is a different IP
protocol which doesn't feature numbered ports. As such, blocking ICMP
won't prevent port scans, it'll just prevent some of your own outbound
connections from working properly.
If you block ICMP echo reply {ICMP type 0} and ICMP unreachable {ICMP
type 3}
packets from egress {going out from your machine} your machine will not
answer
ping requests {ICMP type 8} or send unreachable messages for ports that
do not
have any listeners running on them, or are blocked. Another good thing
Why is blocking type 0 good?
Why is blocking type 3 good?
to block
is ICMP type 5 which asks the recipient to redirect packets elsewhere.
What's the problem with these?
Blocking all ICMP can have unintended consequences, but is best if it is
blocked bidirectionally. Allowing ICMP responses from your machine allows
the "scanner" to know you are there and which ports are blocked or unused.
dropping packets to protected ports is sufficient to protect them, and
is established practice.
I prefer to use a more complicated ICMP blocking ruleset, but no longer
have a Linux machine to show an example.
This is the generic part of the ipfw ruleset, I am now using on the OS X
Leopard machine I got to replace my Fedora Workstation :
--- snip ---
# Clear Firewall and start from scratch
$IPFW -f flush
# Allow all internal traffic
$IPFW add 1000 allow ip from any to any via lo0
# Deny and log spoofed traffic
$IPFW add 1010 deny log ip from 127.0.0.0/8 to any in
$IPFW add 1020 deny log ip from any to 127.0.0.0/8 in
# Deny Multicast packets
#$IPFW add 1030 deny log ip from 224.0.0.0/3 to any in
#$IPFW add 1040 deny log tcp from any to 224.0.0.0/3 in
Don't those break Bonjour?
# Block outgoing ICMP unreachable packets
$IPFW add 1050 deny icmp from me to any out icmptypes 3
# Block incoming redirection packets
$IPFW add 1060 deny icmp from any to me in icmptypes 5
# Block outgoing echo reply packets
$IPFW add 1070 deny icmp from me to any in icmptypes 0
# Block incoming echo request packets
$IPFW add 1080 deny icmp from any to me in icmptypes 8
Those limit your network functionality for limited (if any gain)
# Allow other ICMP packets
$IPFW add 1090 allow icmp from any to any
# Allow all outbound traffic
$IPFW add 2000 allow ip from me to any
while, should I manage to install a bot on your system, allow me
unrestricted access to the world.
I had an incident a couple of years ago where a user's account was
penetrated and an IRC bot installed, and the system began testing the
world for other under-secured systems.
My current firewalls restrict access to needed ports, both from the
Internet to my systems, and from my systems to the Internet.
As I said previously, blocking outgoing ICMP 3 does not prevent my
connecting to open ports. However, dropping or rejecting my connexion
requests does do that.
If you have postgresql listening to port 5432 on your public interface
and you drop outgoing ICMP type 3, then my request to open a connexion
will succeed. If you don't have postgresql listening to your public
interface, then my request will time out. This does not prevent my
testing other ports at the same time if I wish.
With my setup, dropping connexion requests from the Internet to port
5432, you time out regardless of whether postgresql is running at all.
I could also unconditionally send ICMP 3 to Internet hosts, regardless
of whether postgresql is running or not.
Probably, the correct response to an unwelcome request is to send ICMP 3
code 9, but I don't know a reason that it matters if I don't tell the
untrusted the whole truth.
--
Cheers
John
-- spambait
1aaaaaaa@xxxxxxxxxxxxxxxx Z1aaaaaaa@xxxxxxxxxxxxxxxx
-- Advice
http://webfoot.com/advice/email.top.php
http://www.catb.org/~esr/faqs/smart-questions.html
http://support.microsoft.com/kb/555375
You cannot reply off-list:-)