Re: blocking all ICMP at firewalls

[blast <blast () broder com>]

On Wed, 15 Oct 1997, Jyri Kaljundi wrote:

> How should ICMP handled correctly at the firewall? The thing I want to
> know is if I block all ICMP at firewalls external interface, what are the
> things that will break? In some places I want to block both all ICMP to
> the firewall external interface and all ICMP going through the firewall to
> internal network. And since that will deny incoming echo-reply also, I
> think I would deny all outgoing ICMP also. Now what will happen and is
> this kind of configuration allowed?

ICMP is IP's janitor.
Its job is to communicate error messages and other conditions that
require attention.  You can just blindly block all ICMP and still
function but Layer 3 and Layer 4 performance will be comprimised.
Below we will explore the issue from a "least priviledged" approach.

The minimal set one would want is:
type 3 dest. unreachable
type 11 time exceeded

Destination Unreachable & Time Exceeded  (3 and 11)
----------------------------------------
ICMP has a type and code field you can mess with but
for the most part you will want all of type 3 and type 11 if
any type of Layer 3 sanity is to be achieved.

I have people telling me all the time that there are parts of type
3 that can be used for denial of service attacks.  While this is
true to some degree, so can lots of other Layer 3 field.
Allowing type 3 and type 11 will help your IP traffic a lot!
Denial of service attacks are issues you manage, not issues
you can get rid of.

Tailoring to your Network Administrative needs
--------------------------------------------
You may want to let out 'echo requests' (type 8) and let back
in 'echo reply' (type 0).  Again, the choice is yours.  This risks
are low compared to the benefits of having some network
tools handy.

At this point you have 
type 3
type 11
Again, the choice is yours.  This risks
are low compared to the benefits of having some network
tools handy.

At this point you have 
type 3
type 11
and type 0 and type 8 are your choice to implement

> How important are ICMP source quench, time exceeded and parameter problem?

L3 Flow Control 
-------------
Depending how complex your networking needs are, you may
need to allow type 4 source quench.  What qualifies
are complex?  Well, if you are running any type of bandwidth
allocation or resource reservation via some queueing
method you would qualify.  Stuff like RED (Random Early 
Detection), some Frame-Relay queueing, will need (or 
I should say like to have) ICMP source quench available.
This is Layer 3 flow control and you can take it or 
leave it. 
My choice at this point is that I only allow type 4
between devices within my autonomous system and block
this at my borders.  Bottom line is that I allow this stuff
within networks that I administrate because it is there
that I know I will benefit from it.  When allowing this 
traffic to and from the Internet, I only benefit when 
someone else is using and allowing type 4 traffic.
It has not been a very big win so I just turn it off
at the borders.

Here are some other helpful sources:
RFC 792  Official ICMP spec.
Chapter 6 of TCP/IP Illustrated Vol. 1  Richard Stevens
RFC 1349

Good luck,
-blast
   %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
   \    Tim Keanini    |         "The limits of my language,            /
   /                   |         are the limits of my world."           \
   \ blast () broder com  |         --Ludwig Wittgenstein                  /
   \                   +================================================/
   |Key fingerprint =  7B 68 88 41 A8 74 AB EC  F0 37 98 4C 37 F7 40 D6 |
   /    PUB KEY: http://www-swiss.ai.mit.edu/~bal/pks-commands.html     \
   %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%