Firewall rules for ICMP

Discussion in 'other firewalls' started by root, Feb 22, 2002.

Thread Status:
Not open for further replies.
  1. root

    root Registered Member

    Joined:
    Feb 19, 2002
    Posts:
    1,723
    Location:
    Missouri, USA
    Hi Everybody. I don't know if this is the best forum for this, but I'll give it a try. I use Outpost firewall and have several options for ICMP. In searching around the net, I have found it very difficult to get very consise information about the safety of allowing some ICMP.
    My question is, is it safe to allow echo request type 8 out, echo reply type 0 in, and time exceeded type 11 in? Also there seems to be some differences of opinion about destination unreachable type 3, in and out. I was allowing type three in but noticed I had a lot of blocked type 3 out, so I put my isp DNS server in the trusted zone, and now the type 3 is going in and out to my ISP only. Seems to work, and I can pass all the scan tests.
    Sorry if I was confusing.  o_O
    Any thoughts would be appreciated.
     
  2. BlitzenZeus

    BlitzenZeus Security Expert

    Joined:
    Feb 11, 2002
    Posts:
    451
    Location:
    Oregon, USA
    ICMP is not even necessary to use the net, but its up to you if you want to allow it.  There are many security risks, but limiting what you accept will help if you do allow ICMP.

    Now there are icmp floods, pings of death, spoofed packets, etc...  A good firewal with Stateful Packet Inspection should only let through what your computer asked for unless its a packet that requires no verifcation.  Not many personal firewalls even have SPI...

    I have not had a problem with this stuff, but some servers do when used as a DOS attack.

    If your going to allow ICMP you should allow:

    Inbound:
    3 Destination Unreachable(otherwise your connections might just hang instead of closing correctly.

    Outbound:
    3 .... To your DNS servers ONLY(Optional really)

    To allow yourself to ping/trace others:

    Inbound:
    0 Echo Reply
    3 ....
    11 Time exceeded

    Outbound:
    8 Echo Request

    To be pingable...

    Inbound:
    8 Echo Request

    Outbond:
    0 Echo Reply
    -------------------

    Now these are the bare minimum you need to except for these except icmp 3, but that will prevent some problems/headaches.  You should block the rest of the icmp packets in, and out that you do not explictly allow.  If you can you might want to make rules for only certain sites to be able to ping/trace you.....

    My rules are like this, but not everyone does it the same:
    [_] Permit Pings(disabled)
    -- In: 8 (any site)
    [x] Permit site x to ping me
    -- In: 8 (www.com)
    [x] Inbound ICMP
    -- In: 0,3,11 (any site)
    [x] Outbound ICMP
    - Out: 0,8 (any site)
    [x] Block all ICMP
    -- In:all Out:all (any site)
    (I use Tiny/Kerio Personal firewall, but it should be similar)
     
  3. root

    root Registered Member

    Joined:
    Feb 19, 2002
    Posts:
    1,723
    Location:
    Missouri, USA
    Thanks BlitzenZeus. That pretty much confirms the gist of what I've been picking up from the various articles.
    I do not allow type 8 in or type 0 out at all As I don't need to be pingable. I recently blocked type 3 in and have not noticed any adverse affects. But that is probably because I put my ISPs DNS address in the trusted zone in Outpost.
    I hope that didn't open a hole that I'm not aware of.
    Thanks again.
     
  4. BlitzenZeus

    BlitzenZeus Security Expert

    Joined:
    Feb 11, 2002
    Posts:
    451
    Location:
    Oregon, USA
    You might not notice anything if you block icmp 3, and don't play online games or similar programs of that nature.

    If you do play online games its really a must you need to enable as instead of your programs going on with what they are doing, they will just sit there waiting for a reply..... sit there.... sit there....  Some might not even go past that point till they get some kind of response, or some might crash.  I say its the fault of bad coding, but allowing those packets does help make sure some things run smoother.

    Edit: Also if your are running pings, and traces you need to allow icmp 3 in since they will have problems completing if they don't get this response.
     
Loading...
Thread Status:
Not open for further replies.