Re: Questions about ICMP

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 


On 2007-Dec-07, at 13:35, John Summerfield wrote:


Guy Fraser wrote:

On 2007-Dec-07, at 09:46, Gordon Messmer wrote:

Daniel B. Thurman wrote:

So... am I to read this as it is a good idea to disable all ICMP
requests?  I get a LOT of ICMP requests from the Internet probing
at my ports, which are disabled.  This is a good idea?
That's impossible. UDP ports can only be tested by UDP packets, and TCP ports can only be tested by TCP packets. ICMP is a different IP protocol which doesn't feature numbered ports. As such, blocking ICMP won't prevent port scans, it'll just prevent some of your own outbound connections from working properly.
If you block ICMP echo reply {ICMP type 0} and ICMP unreachable {ICMP type 3} packets from egress {going out from your machine} your machine will not answer ping requests {ICMP type 8} or send unreachable messages for ports that do not have any listeners running on them, or are blocked. Another good thing 

Why is blocking type 0 good?


So you do not get hammered by pings.



Why is blocking type 3 good?


If you reject packets, your host may send an unreachable response.






to block
is ICMP type 5 which asks the recipient to redirect packets elsewhere. 

What's the problem with these?



Google for ICMP redirect, and check the security implications.
Blocking all ICMP can have unintended consequences, but is best if it is blocked bidirectionally. Allowing ICMP responses from your machine allows the "scanner" to know you are there and which ports are blocked or unused.
dropping packets to protected ports is sufficient to protect them, and is established practice.
Yes, but are you certain the original poster is dropping all packets sent to 
ports that do not have listeners ?
I prefer to use a more complicated ICMP blocking ruleset, but no longer 
have a Linux machine to show an example.
This is the generic part of the ipfw ruleset, I am now using on the OS X 
Leopard machine I got to replace my Fedora Workstation :
--- snip ---
# Clear Firewall and start from scratch
$IPFW -f flush
# Allow all internal traffic
$IPFW add 1000 allow ip from any to any via lo0
# Deny and log spoofed traffic
$IPFW add 1010 deny log ip from 127.0.0.0/8 to any in
$IPFW add 1020 deny log ip from any to 127.0.0.0/8 in
# Deny Multicast packets
#$IPFW add 1030 deny log ip from 224.0.0.0/3 to any in
#$IPFW add 1040 deny log tcp from any to 224.0.0.0/3 in


Don't those break Bonjour?


That is why they are commented out





# Block outgoing ICMP unreachable packets
$IPFW add 1050 deny icmp from me to any out icmptypes 3
# Block incoming redirection packets
$IPFW add 1060 deny icmp from any to me in icmptypes 5
# Block outgoing echo reply packets
$IPFW add 1070 deny icmp from me to any in icmptypes 0
# Block incoming echo request packets
$IPFW add 1080 deny icmp from any to me in icmptypes 8


Those limit your network functionality for limited (if any gain)


In your opinion.





# Allow other ICMP packets
$IPFW add 1090 allow icmp from any to any
# Allow all outbound traffic
$IPFW add 2000 allow ip from me to any
while, should I manage to install a bot on your system, allow me unrestricted access to the world.
I had an incident a couple of years ago where a user's account was penetrated and an IRC bot installed, and the system began testing the world for other under-secured systems.
My current firewalls restrict access to needed ports, both from the Internet to my systems, and from my systems to the Internet.
As I said previously, blocking outgoing ICMP 3 does not prevent my connecting to open ports. However, dropping or rejecting my connexion requests does do that.
If you have postgresql listening to port 5432 on your public interface and you drop outgoing ICMP type 3, then my request to open a connexion will succeed. If you don't have postgresql listening to your public interface, then my request will time out. This does not prevent my testing other ports at the same time if I wish.
With my setup, dropping connexion requests from the Internet to port 5432, you time out regardless of whether postgresql is running at all.
I could also unconditionally send ICMP 3 to Internet hosts, regardless of whether postgresql is running or not.
Probably, the correct response to an unwelcome request is to send ICMP 3 code 9, but I don't know a reason that it matters if I don't tell the untrusted the whole truth. 



I did not say this was the whole Firewall ruleset. This is just the top
part of what I use on my workstation. I clipped the rules so I didn't
have to obscure my access control lists for for the ports I do listen on.
Use what works for you, I did not start this conversation saying what you 
do is wrong.
The original poster was asking about blocking ICMP, if you want to debate 
how to set up the ultimate firewall, start your own thread. The best way
to firewall is to return nothing to anything but what you intend on
responding to. Sending false responses, does not protect you, but often
antagonizes the hacker. There are far too many elements involved in
hardening a machine that I will not go into here that are far beyond
just configuring a firewall.




--

Cheers
John
[Index of Archives]     [Current Fedora Users]     [Fedora Desktop]     [Fedora SELinux]     [Yosemite News]     [Yosemite Photos]     [KDE Users]     [Fedora Tools]     [Fedora Docs]

  Powered by Linux