ICMP - Harness Good/Block Bad

Discussion in 'other firewalls' started by luciddream, May 19, 2011.

Thread Status:
Not open for further replies.
  1. luciddream

    luciddream Registered Member

    Joined:
    Mar 22, 2007
    Posts:
    2,497
    I'm setting up some Global Rules in Comodo Firewall for ICMP traffic, and I'd like some advice. I noticed Outgoing ICMP from my PC to my router, type 8, code 0 which I've gathered to be Echo Requests. If I block them eventually I lose my internet connection, so I'm inclined to allow them. Should I make the rule only to allow it from my PC to my gateway (router)?

    What are some other ICMP traffic I could/should allow safely? When I set the FW up to stealth my ports to everyone it made rules for Fragmentation Needed and Time Exceeded, though I don't recall if it allowed it in or out (I removed them).

    I'd be greatly obliged if somebody could recommend some ICMP rules for me, to allow useful traffic and block the rest.

    Info. on my setup: Single PC, XP Pro SP3, NetBios disabled over TCP/IP, Comodo Firewall/D+ (proactive), Avira Personal, Firefox 3.6.17. I use the internet just for basic use (browsing).
     
  2. wat0114

    wat0114 Guest

    You could try the ones in the attached .txt file. They should be complete for a home, non-networked computer. You've helped remind me I need to re-check my Windows fw icmp rules when I get home later :)
     

    Attached Files:

    Last edited by a moderator: May 19, 2011
  3. luciddream

    luciddream Registered Member

    Joined:
    Mar 22, 2007
    Posts:
    2,497
    Actually blocking the outgoing Echo Requests wasn't what made me lose my connectivity. Another oversight of mine did that.

    After learning more about ICMP it doesn't appear the common user (me) needs to allow any at all. Of course all I stumbled upon were vague references about network troubleshooting. One person said it's for more than that, but then neglected to elaborate. The way I see it, if I block it and nothing breaks then I don't need it. That's my prerogative until convinced otherwise.
     
  4. wat0114

    wat0114 Guest

    If you do need to troubleshoot network connectivity, then allowing echo request, for example, will be needed for pings or traceroutes, and these can be very handy tools sometimes. You really have nothing to worry about and the ability to troubleshoot network connectivity issues if you set your icmp rules as in the attachment.
     
  5. m00nbl00d

    m00nbl00d Registered Member

    Joined:
    Jan 4, 2009
    Posts:
    6,623
    Do you find a need to explicitely create rules blocking ICMP... or do you feel Windows firewall may go wild? ;) I've also been creating rules to specifically block connections, rather than leaving them disabled. I got double-crossed by Windows firewall sometime ago. It automatically created rules for network discovery... including netbios comms. :D

    But, a good trick (perhaps) is to create new rules blocking comms, rather than using any built-in rules. A block rule takes precedence. Just in case Windows firewall remembers of changing rules. :-*
     
  6. wat0114

    wat0114 Guest

    Not any more. It's default-deny so I just create the allow rules I need. My current setup is pretty much static so I have little concern about new apps creating their own rules, and then very few do that anyway (however, uTorrent, for one, does this), at least in my experience.
     
  7. act8192

    act8192 Registered Member

    Joined:
    Nov 9, 2006
    Posts:
    1,274
  8. luciddream

    luciddream Registered Member

    Joined:
    Mar 22, 2007
    Posts:
    2,497
    After looking into it a bit I came up with these rules (Comodo):

    Allow - In

    Echo Reply
    Time Exceeded
    Fragmentation Needed
    Port Unreachable

    Allow - Out

    Echo Request

    ... then an in/out block rule for all other ICMP

    But for now I'm testing to see whether things run smoothly with all ICMP blocked. It's not that I specifically feel the need to block ICMP, it's just my approach with all things (services, outbound connections, ect...). If I don't need it for things to work properly, I don't allow it. If I notice connectivity problems or unresponsive/glitchy browsing then I'll use that rule set.
     
  9. wat0114

    wat0114 Guest

    Those all look good :thumb:

    Some nice advice in that thread :)
     
  10. luciddream

    luciddream Registered Member

    Joined:
    Mar 22, 2007
    Posts:
    2,497
    Yeah I looked through that, a very handy thread. I appreciate when people take the time like that to help other people out.

    I found the one thread entertaining about the placebo effect people get when they see "Full Stealth" on the port scan tests. So true.

    The only other rule I may add to the fold is an inbound allow rule for "Host Unreachable". I did have a page hang on me. Usually after several seconds I'd get that "Page temporarily unavailable" message, but it just kept hanging and I had to stop it. I don't know if this has anything to do with blocking ICMP, or if it's just coincidence. I'm going to need a bigger sample size before I decide one way or the other, but for now I'm continuing to block all. But perhaps some is needed for more reliable connectivity?

    I'd like to hear an expert chime in about this with some specifics about ICMP. Is it indeed for more than just network troubleshooting? Does it have a positive impact on network connectivity for a common user like myself?
     
  11. wat0114

    wat0114 Guest

    If your firewall permits, you could just make a Type: 3 (Destination Unreachable), Code: Any ICMP rule, and this will cover everything for that Type.

    -http://www.nthelp.com/icmp.html

    And no expert, but I don't think ICMP has any bearing on normal network connectivity, especially typical web browsing. It is probably even more important if one is running a server, where echo replies out and requests in may need to be allowed.
     
    Last edited by a moderator: May 22, 2011
  12. wat0114

    wat0114 Guest

    Just found this older, but no doubt excellent, ICMP advice form BlitzenZeus, an expert on Kerio firewall. There is no questioning this guy's expertise :)

    -http://www.dslreports.com/forum/remark,2649460
     
  13. act8192

    act8192 Registered Member

    Joined:
    Nov 9, 2006
    Posts:
    1,274
    Nice BZ thread, thanks. I've followed the CrazyM setup, it hasn't tripped me behind the router, with router removed, and in wild places yet.

    In the Sunbelt 4.6.1861 and 4.7.4.0 firewall I have this stuff working fine all along

    ICMPrules.png

    on another box, Kerio 2.1.5 firewall identical (except GUI - has only one group and can't switch LOG on the main screen)

    the RFC-792 option is from this interesting thread
    - https://www.wilderssecurity.com/showthread.php?t=216892
     
Loading...
Thread Status:
Not open for further replies.