Mikhail Zotov wrote:
> prg wrote on Wednesday 16 March 2005 00:33:
> >
> > Mikhail Zotov wrote:
> >> prg wrote on Tuesday 15 March 2005 17:40:
> >> > Mikhail Zotov wrote:
> >> ...
> >> >> Suppose I run traceroute on a LAN machine:
> >> >>
> >> >> darkstar$ traceroute some.host
> >> >> 1 * * *
> >> >> 2 the_first.host.after.the_router 0.894ms .....
> >> >> ....
> >> > ICMP is designed to work this way:
> >> > http://www.networksorcery.com/enp/protocol/icmp.htm
> >> > http://www.networksorcery.com/enp/pr...icmp/msg11.htm
> >> >
> ...
> >> > The packets sent are _not_ part of a single stream, thus _not_
> > related.
> >>
> >> Thank you *very much* for your really eye-opening reply and
> >> very helpful links.
> >>
> >> Still, I feel even more surprised now. As far as I understand,
> >> in order to avoid the situation described above, I should enable
> >> the following `logic' on the router:
> >>
> >> ICMP packets of type 11 and state `INVALID' should be allowed
> >> to go out from the interior network interface in case forwarding
> >> of outgoing traceroute (tracert) is permitted.
> ...
> >> In fact, I have found only one script that allows ICMP packets
> >> of type 11 in OUTPUT chain regardless of their state:
> >> http://linux.fan.lt/fwall (I don't count scripts that allow
> >> everything in OUTPUT chain.)
> >>
> >> Thus, the situation seems to be a bit strange.
> >
> > No time now to offer any explanation -- appointments to keep ;-)
>
> Don't worry and take your time! I am trying to solve this problem
> for already two or three weeks now. Have already tried two other
> NGs and the netfilter mailing list. Thus, there's no hurry. :-)
>
> > Go here to find all kinds of info on iptables:
> > http://www.linuxguruz.com/iptables/
> >
> > and here for a pretty good/complete tutorial:
> > http://iptables-tutorial.frozentux.n...-tutorial.html
>
> Oscar Andreasson trusts his hosts on output. At least, in the
> tutorial. :-) Will check linuxguruz though. I have studied
> their docs before writing the script of my own but I have probably
> missed something.
>
> [snip]
> > I'll try to check back later.
>
> Thank you!
I can't give you a pre-determined list of what ICMP traffic to
allow/block and no one else can either :-(
The main thing people deal with is what "probes" to allow inside, eg.,
ping and some of the "dated" ICMP query messages. Simply dropping
pings at the border router, eg., deprives anyone (including you) from
confirming reachability to your network. This also involves a POV
regarding dropping packets silently or retuning "Administratively
Prohibited" messages (ie., DENY or REJECT in netfilter rules).
The next and hardest thing to deal with are the errors that application
protocols or hosts may legitimately (and informatively) return when
network conditions/routing drops in the crapper. These may be the only
clues at hand to tell what's wrong. These would be locally generated
packets sent back to the "other end". You probably will allow most of
this to go out or handle it at the border router. It may also depend
on the mix of hosts, servers, and subnets behind your firewall.
Private lan hosts may be mostly blocked while DMZ servers are allowed
to return some (or even all) error messages.
And some ICMP traffic is highly useful in some settings, eg., redirects
that routers emit to send hosts along the correct route path.
For added "protection" when allowing some ICMP traffic you can limit
the burst rate of processed traffic -- most required/legitmate traffic
is a single returned packet.
ICMP messages (codes) are very compact which adds to the complexity of
understanding what you you may want to allow/deny. Deciphering the
code numbers is tedious. Plus, it's hard to understand sometimnes when
the messages may be generated.
Sniffing traffic designed to elicit ICMP messages can help a lot in
understanding what is going on, but it remains a difficult protocol to
"master" since it is used in so many different ways.
The article you referenced is a pretty good intro and the rules you
posted are "common" practice. Beware that traceroute's _default_
behavior is _not_ a good example of ICMP's normal usage, so don't base
your impressions on what you observe using traceroute. It can be used
with some options that do make it a useful, though limited, "testing"
tool.
Here are my links that I had on hand to help understand ICMP and how
netfilter deals with ICMP traffic:
(
http://www.sns.ias.edu/~jns/security...conntrack.html
)
this one especially useful
(
http://www.sns.ias.edu/~jns/security...les/index.html )
(
http://www.cymru.com/Documents/icmp-messages.html ) < Cisco IOS
(
http://www.faqs.org/rfcs/rfc792.html )
Also a copy of Stevens' "TCP-IP Illustrated Vol. 1" is _highly_
recommended. Chapter 6 deals with ICMP and it is discussed elsewhere
when appropriate.
Note that the terms used by netfilter do _not_ coincide with the use of
those terms in TCP/IP. And the use with regard to ICMP, viz., INVALID
state, can be especially misleading -- simply means there is no
"matching" state table entry for that packet and should not be taken to
mean "illegitimate" or "dangerous".
hth,
prg
Similar Threads
Linear Mode
