Questions about ICMP

John Summerfield debian at herakles.homelinux.org
Sat Dec 8 08:59:15 UTC 2007 

Guy Fraser wrote:
> 
> On 2007-Dec-07, at 13:35, John Summerfield wrote:
> 
>> Guy Fraser wrote:
>>> On 2007-Dec-07, at 09:46, Gordon Messmer wrote:
>>>> Daniel B. Thurman wrote:
>>>>> So... am I to read this as it is a good idea to disable all ICMP
>>>>> requests?  I get a LOT of ICMP requests from the Internet probing
>>>>> at my ports, which are disabled.  This is a good idea?
>>>>
>>>> That's impossible.  UDP ports can only be tested by UDP packets, and 
>>>> TCP ports can only be tested by TCP packets.  ICMP is a different IP 
>>>> protocol which doesn't feature numbered ports.  As such, blocking 
>>>> ICMP won't prevent port scans, it'll just prevent some of your own 
>>>> outbound connections from working properly.
>>> If you block ICMP echo reply {ICMP type 0} and ICMP unreachable {ICMP 
>>> type 3}
>>> packets from egress {going out from your machine} your machine will 
>>> not answer
>>> ping requests {ICMP type 8} or send unreachable messages for ports 
>>> that do not
>>> have any listeners running on them, or are blocked. Another good thing
>>
>> Why is blocking type 0 good?
> 
> So you do not get hammered by pings.

Oh, You block ping replies so your IAP can't test your network 
connectivity. if your IAP also blocks echo replies, then neither of you 
can test.

pings are small packets, I would expect the bottleneck to be on the 
wire. If i were malicious enough to want to hammer your system, I'd use 
bigger packets. A  chain email about poor little Freddy who's dying of 
cancer, wants to collect a world-record number of pictures of cuddly 
critters and could you send them to freddy at example.com has been known to 
work fairly well. or "/." the victim


This http://www.cisco.com/warp/public/707/21.html has a section on Flood 
Management. Read it, it doesn't apply to many on this list.



> 
>>
>> Why is blocking type 3 good?
> 
> If you reject packets, your host may send an unreachable response.

if you reject packets, that's exactly what you should do. I suggest 
dropping them.

> 
>>
>>
>>
>>> to block
>>> is ICMP type 5 which asks the recipient to redirect packets elsewhere.
>>
>> What's the problem with these?
>>
> 
> Google for ICMP redirect, and check the security implications.
> 

This suggests it's not a real problem:
http://www.cs.columbia.edu/~smb/talks/ipext-acsac.ps
Unfortunately I had to twist my head over to read it, so I didn't read 
it all.

This http://www.cisco.com/warp/public/707/21.html says, "No end node 
ever sends a redirect, and no redirect is ever traversed more than one 
network hop." and goes on to recommend blocking them at an 
administrative boundary.

>>
>>> Blocking all ICMP can have unintended consequences, but is best if it is
>>> blocked bidirectionally. Allowing ICMP responses from your machine 
>>> allows
>>> the "scanner" to know you are there and which ports are blocked or 
>>> unused.
>>
>> dropping packets to protected ports is sufficient to protect them, and 
>> is established practice.
>>
> 
> Yes, but are you certain the original poster is dropping all packets 
> sent to
> ports that do not have listeners ?

No, but I counselled it. Just as I counsel mostly leaving ICMP alone.

> 
>>> I prefer to use a more complicated ICMP blocking ruleset, but no longer
>>> have a Linux machine to show an example.
>>> This is the generic part of the ipfw ruleset, I am now using on the OS X
>>> Leopard machine I got to replace my Fedora Workstation :
>>> --- snip ---
>>> # Clear Firewall and start from scratch
>>> $IPFW -f flush
>>> # Allow all internal traffic
>>> $IPFW add 1000 allow ip from any to any via lo0
>>> # Deny and log spoofed traffic
>>> $IPFW add 1010 deny log ip from 127.0.0.0/8 to any in
>>> $IPFW add 1020 deny log ip from any to 127.0.0.0/8 in
>>> # Deny Multicast packets
>>> #$IPFW add 1030 deny log ip from 224.0.0.0/3 to any in
>>> #$IPFW add 1040 deny log tcp from any to 224.0.0.0/3 in
>>
>> Don't those break Bonjour?
> 
> That is why they are commented out
> 
>>
>>
>>> # Block outgoing ICMP unreachable packets
>>> $IPFW add 1050 deny icmp from me to any out icmptypes 3
>>> # Block incoming redirection packets
>>> $IPFW add 1060 deny icmp from any to me in icmptypes 5
>>> # Block outgoing echo reply packets
>>> $IPFW add 1070 deny icmp from me to any in icmptypes 0
>>> # Block incoming echo request packets
>>> $IPFW add 1080 deny icmp from any to me in icmptypes 8
>>
>> Those limit your network functionality for limited (if any gain)
> 
> In your opinion.

well, if you don't use all the ICMP then it's a fair assumption your 
network isn't properly controlled.


>>
>> With my setup, dropping connexion requests from the Internet to port 
>> 5432, you time out regardless of whether postgresql is running at all.
>>
>> I could also unconditionally send ICMP 3 to Internet hosts, regardless 
>> of whether postgresql is running or not.
>>
>> Probably, the correct response to an unwelcome request is to send ICMP 
>> 3 code 9, but I don't know a reason that it matters if I don't tell 
>> the untrusted the whole truth.
>>
> 
> I did not say this was the whole Firewall ruleset. This is just the top
> part of what I use on my workstation. I clipped the rules so I didn't
> have to obscure my access control lists for for the ports I do listen on.
> 
> Use what works for you, I did not start this conversation saying what you
> do is wrong.

That is true, but I do think some of your advice is wrong. It's 
perfectly possible that I am wrong, but so far you've failed to convince me.

> 
> The original poster was asking about blocking ICMP, if you want to debate
> how to set up the ultimate firewall, start your own thread. The best way
> to firewall is to return nothing to anything but what you intend on
> responding to. Sending false responses, does not protect you, but often
> antagonizes the hacker. There are far too many elements involved in
> hardening a machine that I will not go into here that are far beyond
> just configuring a firewall.

Proper use of ICMP requires coordination with other aspects of a 
firewall. Generally, not generating ICMP packets is better than blocking 
   outgoing ICMP, and ignoring incoming ICMP packets can lead to network 
problems.

I note that the setup on my SL5 box explicitly allows all ICMP:
-A RH-Firewall-1-INPUT -p icmp --icmp-type any -j ACCEPT

and according to "essential Mac OS X Panther Server Administration," 
Bartosh & Faas,: O'reilly, OS X does too. (Our xserve with Tiger does 
too, but I'm not sure I'd call its rules a 'firewall').





-- 

Cheers
John

-- spambait
1aaaaaaa at coco.merseine.nu  Z1aaaaaaa at coco.merseine.nu
-- Advice
http://webfoot.com/advice/email.top.php
http://www.catb.org/~esr/faqs/smart-questions.html
http://support.microsoft.com/kb/555375

You cannot reply off-list:-)

More information about the users mailing list