View Full Version : Firewall rules for ICMP
February 22nd, 2002, 12:31 AM
Hi Everybody. I don't know if this is the best forum for this, but I'll give it a try. I use Outpost firewall and have several options for ICMP. In searching around the net, I have found it very difficult to get very consise information about the safety of allowing some ICMP.
My question is, is it safe to allow echo request type 8 out, echo reply type 0 in, and time exceeded type 11 in? Also there seems to be some differences of opinion about destination unreachable type 3, in and out. I was allowing type three in but noticed I had a lot of blocked type 3 out, so I put my isp DNS server in the trusted zone, and now the type 3 is going in and out to my ISP only. Seems to work, and I can pass all the scan tests.
Sorry if I was confusing. *???
Any thoughts would be appreciated.
February 22nd, 2002, 04:48 AM
ICMP is not even necessary to use the net, but its up to you if you want to allow it. *There are many security risks, but limiting what you accept will help if you do allow ICMP.
Now there are icmp floods, pings of death, spoofed packets, etc... *A good firewal with Stateful Packet Inspection should only let through what your computer asked for unless its a packet that requires no verifcation. *Not many personal firewalls even have SPI...
I have not had a problem with this stuff, but some servers do when used as a DOS attack.
If your going to allow ICMP you should allow:
3 Destination Unreachable(otherwise your connections might just hang instead of closing correctly.
3 .... To your DNS servers ONLY(Optional really)
To allow yourself to ping/trace others:
0 Echo Reply
11 Time exceeded
8 Echo Request
To be pingable...
8 Echo Request
0 Echo Reply
Now these are the bare minimum you need to except for these except icmp 3, but that will prevent some problems/headaches. *You should block the rest of the icmp packets in, and out that you do not explictly allow. *If you can you might want to make rules for only certain sites to be able to ping/trace you.....
My rules are like this, but not everyone does it the same:
[_] Permit Pings(disabled)
-- In: 8 (any site)
[x] Permit site x to ping me
-- In: 8 (www.com)
[x] Inbound ICMP
-- In: 0,3,11 (any site)
[x] Outbound ICMP
- Out: 0,8 (any site)
[x] Block all ICMP
-- In:all Out:all (any site)
(I use Tiny/Kerio Personal firewall, but it should be similar)
February 22nd, 2002, 12:47 PM
Thanks BlitzenZeus. That pretty much confirms the gist of what I've been picking up from the various articles.
I do not allow type 8 in or type 0 out at all As I don't need to be pingable. I recently blocked type 3 in and have not noticed any adverse affects. But that is probably because I put my ISPs DNS address in the trusted zone in Outpost.
I hope that didn't open a hole that I'm not aware of.
February 22nd, 2002, 02:21 PM
You might not notice anything if you block icmp 3, and don't play online games or similar programs of that nature.
If you do play online games its really a must you need to enable as instead of your programs going on with what they are doing, they will just sit there waiting for a reply..... sit there.... sit there.... *Some might not even go past that point till they get some kind of response, or some might crash. *I say its the fault of bad coding, but allowing those packets does help make sure some things run smoother.
Edit: Also if your are running pings, and traces you need to allow icmp 3 in since they will have problems completing if they don't get this response.
vBulletin® Copyright ©2000-2013, Jelsoft Enterprises Ltd.
Copyright ©2002 - 2013, Wilders Security Forums