Re: Questions about ICMP

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Guy Fraser wrote:

On 2007-Dec-07, at 09:46, Gordon Messmer wrote:

Daniel B. Thurman wrote:
So... am I to read this as it is a good idea to disable all ICMP
requests?  I get a LOT of ICMP requests from the Internet probing
at my ports, which are disabled.  This is a good idea?

That's impossible. UDP ports can only be tested by UDP packets, and TCP ports can only be tested by TCP packets. ICMP is a different IP protocol which doesn't feature numbered ports. As such, blocking ICMP won't prevent port scans, it'll just prevent some of your own outbound connections from working properly.

If you block ICMP echo reply {ICMP type 0} and ICMP unreachable {ICMP type 3} packets from egress {going out from your machine} your machine will not answer ping requests {ICMP type 8} or send unreachable messages for ports that do not have any listeners running on them, or are blocked. Another good thing

Why is blocking type 0 good?
Why is blocking type 3 good?


to block
is ICMP type 5 which asks the recipient to redirect packets elsewhere.

What's the problem with these?



Blocking all ICMP can have unintended consequences, but is best if it is
blocked bidirectionally. Allowing ICMP responses from your machine allows
the "scanner" to know you are there and which ports are blocked or unused.

dropping packets to protected ports is sufficient to protect them, and is established practice.


I prefer to use a more complicated ICMP blocking ruleset, but no longer
have a Linux machine to show an example.

This is the generic part of the ipfw ruleset, I am now using on the OS X
Leopard machine I got to replace my Fedora Workstation :

--- snip ---
# Clear Firewall and start from scratch
$IPFW -f flush

# Allow all internal traffic
$IPFW add 1000 allow ip from any to any via lo0

# Deny and log spoofed traffic
$IPFW add 1010 deny log ip from 127.0.0.0/8 to any in
$IPFW add 1020 deny log ip from any to 127.0.0.0/8 in

# Deny Multicast packets
#$IPFW add 1030 deny log ip from 224.0.0.0/3 to any in
#$IPFW add 1040 deny log tcp from any to 224.0.0.0/3 in

Don't those break Bonjour?


# Block outgoing ICMP unreachable packets
$IPFW add 1050 deny icmp from me to any out icmptypes 3
# Block incoming redirection packets
$IPFW add 1060 deny icmp from any to me in icmptypes 5
# Block outgoing echo reply packets
$IPFW add 1070 deny icmp from me to any in icmptypes 0
# Block incoming echo request packets
$IPFW add 1080 deny icmp from any to me in icmptypes 8

Those limit your network functionality for limited (if any gain)


# Allow other ICMP packets
$IPFW add 1090 allow icmp from any to any

# Allow all outbound traffic
$IPFW add 2000 allow ip from me to any

while, should I manage to install a bot on your system, allow me unrestricted access to the world.

I had an incident a couple of years ago where a user's account was penetrated and an IRC bot installed, and the system began testing the world for other under-secured systems.

My current firewalls restrict access to needed ports, both from the Internet to my systems, and from my systems to the Internet.

As I said previously, blocking outgoing ICMP 3 does not prevent my connecting to open ports. However, dropping or rejecting my connexion requests does do that.

If you have postgresql listening to port 5432 on your public interface and you drop outgoing ICMP type 3, then my request to open a connexion will succeed. If you don't have postgresql listening to your public interface, then my request will time out. This does not prevent my testing other ports at the same time if I wish.

With my setup, dropping connexion requests from the Internet to port 5432, you time out regardless of whether postgresql is running at all.

I could also unconditionally send ICMP 3 to Internet hosts, regardless of whether postgresql is running or not.

Probably, the correct response to an unwelcome request is to send ICMP 3 code 9, but I don't know a reason that it matters if I don't tell the untrusted the whole truth.



--

Cheers
John

-- spambait
1aaaaaaa@xxxxxxxxxxxxxxxx  Z1aaaaaaa@xxxxxxxxxxxxxxxx
-- Advice
http://webfoot.com/advice/email.top.php
http://www.catb.org/~esr/faqs/smart-questions.html
http://support.microsoft.com/kb/555375

You cannot reply off-list:-)


[Index of Archives]     [Current Fedora Users]     [Fedora Desktop]     [Fedora SELinux]     [Yosemite News]     [Yosemite Photos]     [KDE Users]     [Fedora Tools]     [Fedora Docs]

  Powered by Linux