ICMP Filtering and Rules

ICMP Filtering and Rules

pcalvert's recent post, Is this firewall alert significant?, got me thinking about default ICMP rules and if firewalls have improved in their handling of this protocol when it comes to filtering abilities.

For many firewalls the default rules are similar to:
Permit Inbound ICMP type 0 (echo reply), type 3 (destination unreachable), type 11 (time exceeded)
Permit Outbound ICMP type 3 (destination unreachable), type 8 (echo request)

You will often see recommomendations to restrict Outbound type 3 to your DNS servers only.

While these defaults may be needed and/or work fine for most, do you really need them? Do you log your ICMP traffic to determine what you really use/need?

For several months now I have been denying all Inbound IMCP and only permit Outbound type 8 (request will open temporary window for response) on the outside interface of the router without any adverse affects. While this may work for me, it may not be the case for all.

Have you experience with any current firewalls where they have improved their handling of ICMP in terms of dynamic filtering/rules which would allow for fewer openings?

Regards,

CrazyM

 

Seems to me that one could probably get by with just type 8 outbound and type 0 inbound. But I would have to try it for a while to see I suppose..

 

Yes. I use the default rules as you listed

My current log goes back to November 20:

Permit Inbound Loggings

Type (0) =0
Type (3) = 51
Type (11) =15

Permit Outbound Loggings

Type (3)= 2 (to ISP)

=============================

Deny Inbound Loggings

None - however, the Deny (8 ) rule was not checked to log

Deny Outbound Loggings

Type (0)= 73


I confess to not completely understanding how decisions are made with regard to setting up rules so I just use the defaults that were recommended in the Kerio forums.

RFC 792 (from 1981) has specifications, but I know people who block everything. Some point out that you need Type (3) for some online games, or if running pings.

One difficulty in Analyzing type (3) - Destination Unreachable - is that there are 5 codes that specify what is unreachable: port, protocol, etc. And if your firewall/router doesn't specify those, then you really don't know completely what is going on. (That's me!)

I read a lot about ICMP when first setting up my rules, but did not understand a lot of what I read. For instance, this about Type (11) - time exceeded:

"An ICMP type 11 would normally be caused when the ttl in an Inbound packet that reached the stack had been reduced to zero and the packet had not reached the destination IP."

So, I just opted for the default rules, and have not observed any unusual behavior that would lead me to do otherwise.

regards,

-rich
________________
~~Be ALERT!!! ~~

 

Rmus, I don't think you really want to allow type 8 inbound do you? That would not be the typical situation...

 

Ooops - you are right" Those loggings were from the test I made earlier this month when I permitted everything in for several days.

The rule was changed back to the default following that test. I'll remove those loggings from the post. Thanks for catching that!

-rich

 

I recently got a Zoom X6 ADSL gateway (modem+router), which generally seems to work fine, but i noticed an issue with ICMP traffic. I still kept the Sygate firewall installed on my computer, even though the X6 has NAT firewall, and certain sites wouldn't load - nytimes.com, gizmodo.com. When I looked at the Sygate log, the only incoming traffic was ICMP 3 from the X6, and it was being blocked by Sygate. When I set the Sygate to "allow all", the sites load fine, and the traffic log shows the ICMP traffic is allowed. I don't understand why the ICMP traffic is necessary for these sites to load.

Anna

 

I just tried blocking all ICMP in Kerio and was able to get those two sites you listed to load OK.

Maybe something else in Sygate is enabled when your rule blocks?

regards,

-rich
________________
~~Be ALERT!!! ~~

 

Here's what happens (if I remember correctly):

Each packet starts with a Time to Live (eg. 255) - at each router hop it decreases by one. Once TTL gets to zero, the packet has reached the end of it's life - it needs to be expired otherwise it will be floating along through multiple paths forever. ICMP type 11 is supposed to signal to the sender that the packet never arrived. Interestingly, ICMP type 11 has been used for guessing at which hop a firewall is in place (eg. Firewalker). If the packet is addressed one hop past the firewall and TTL=0 at the firewall, does the firewall send a ICMP Time Exceeded response? Some do, some don't.