Re: Blocking ICMP with ipchains

[Mikael Olsson <mikael.olsson () enternet se>]

wwebb () adni net wrote:
> I've heard that it is not wise to block all ICMP operations.  Such
> being the case, which of these ICMP operations are safe to block
> without causing serious problems:

We have two separate problems here. IN or OUTgoing.
Unusually enough, RECEIVING ICMP errors is safer than SENDING
them, due to "firewalking", a process of discovering which
IP addresses are hidden behind a NAT device, such as a firewall.

> echo-reply (pong)             Safe In, Safe Out
> destination-unreachable       
>    network-unreachable        In
>    host-unreachable           In
>    protocol-unreachable       In
>    port-unreachable           In
>    fragmentation-needed       In
>    source-route-failed
>    network-unknown
>    host-unknown
>    network-prohibited         In
>    host-prohibited            In
>    TOS-network-unreachable
>    TOS-host-unreachable
>    communication-prohibited   In
>    host-precedence-violation
>    precedence-cutoff
> source-quench
> redirect
>    network-redirect
>    host-redirect
>    TOS-network-redirect
>    TOS-host-redirect
> echo-request (ping)           In, Out
> router-advertisement
> router-solicitation
> time-exceeded (ttl-exceeded)  
>    ttl-zero-during-transit      In
>    ttl-zero-during-reassembly   
> parameter-problem
>    ip-header-bad
>    required-option-missing
> timestamp-request
> timestamp-reply
> address-mask-request
> address-mask-reply

Allowing pingreqs to your inside depends on your security policy.
It might help hackers in finding what machines are "up", but it
might also help people do legimitate things.
A lot of people choose to disallow inbound pingreqs.

The reason you often do not wish to allow outbound ICMP errors
such as destination unreachable is, as I said, that you'll
be leaking protected addresses.
If you are not NATing your protected network, this is not an issue.

Some of the codes/types that I've left blank are due to 
real security hazards (primarily redirect), but others
are due to the fact that they're simply not part of normal
communications, and the less that you let in, the better.

Hope this helps

/Mike

Oh and BTW: You might hear rumours about trojans communicating
over ICMP.... So what? They communicate over DNS and HTTP too,
and you're not blocking those, are you? Trojans are better
defended against at host level and by having half a brain (IMHO).

-- 
Mikael Olsson, EnterNet Sweden AB, Box 393, S-891 28 ÖRNSKÖLDSVIK
Phone: +46 (0)660 105 50           Fax: +46 (0)660 122 50
Mobile: +46 (0)70 248 00 33
WWW: http://www.enternet.se        E-mail: mikael.olsson () enternet se