No ICMP filtering

Discussion in 'ESET Smart Security' started by Stem, Mar 3, 2009.

Thread Status:
Not open for further replies.
  1. Stem

    Stem Firewall Expert

    Joined:
    Oct 5, 2005
    Posts:
    4,948
    Location:
    UK
    Hello,

    The firewall is unable to intercept ICMP.

    There are 2 rules by default in the firewall
    1: Allow ICMP in trusted zone
    2: Ask ICMP communications [appears to be hard coded]

    I have setup on internal LAN with ESS V4 (full release), the LAN is set as untrusted, and making ping requests against the PC with ESS will result in time outs, however, this is due to ARP requests being dropped by the IDS, so the pings cannot be routed rather than the firewall dropping the ping requests.
    If I allow the ARP requests, then pings are replied to which is not correct for the rules in place.



    - Stem
     
  2. Novicex

    Novicex Registered Member

    Joined:
    Jan 21, 2009
    Posts:
    72
    This is really really bad:( I think eset should more working on preventing snooping and sniffing and other bad things.
     
    Last edited: Mar 3, 2009
  3. Stem

    Stem Firewall Expert

    Joined:
    Oct 5, 2005
    Posts:
    4,948
    Location:
    UK
    I have been unable to find a way for the firewall to alert me to outbound or inbound ICMP. But even with an alert, if there was one, then the ICMP rules are only to allow or block the ICMP, as there is no way to set an ICMP type/code within the ICMP rule.
    I looked again to see if I could find maybe a tab or options page for global rules for ICMP, maybe with tick box options to allow the various types of ICMP out and/or in. But still cannot find such options.

    It does not look like much thought as gone into the ICMP filtering, but would prefer this filtering to be added fully.



    - Stem
     
  4. funkydude

    funkydude Registered Member

    Joined:
    Apr 5, 2004
    Posts:
    6,852
    Well, ICMP flood detection works.
     
  5. Stem

    Stem Firewall Expert

    Joined:
    Oct 5, 2005
    Posts:
    4,948
    Location:
    UK
    So does the outbound "Detected covert channel exploit in ICMP packet". but I am looking for basic ICMP error message handling.




    - Stem
     
  6. muppetman

    muppetman Registered Member

    Joined:
    Feb 18, 2009
    Posts:
    18
    As a very new Eset SS customer, I must admit I think the ICMP support is lacking quite badly. But overall though, there's not many hack attempts via ICMP!
     
  7. Stem

    Stem Firewall Expert

    Joined:
    Oct 5, 2005
    Posts:
    4,948
    Location:
    UK
    I am not looking at any sort of ICMP attack, I am simply looking for correct filtering of ICMP. Even the built in window XP firewall gives me options for ICMP.

    XP firewall ICMP options:-

    2009-03-08_173056.jpg

    With the ESS firewall, I am not sure as to its intentions with ICMP. There are no global rules, there is no way to set rules for ICMP with type/code.I have even seen red popups from the firewall indicating inbound against my browser, which when checked with a sniffer showed these inbounds as ICMP- destination unreachable. Now either the firewall as closed this port that the application is still listening on for a reply, or the packet as been incorrectly routed through the NOD local proxy

    After using the firewall for a few days, my first impressions are that it is still work in progress and that it needs work with it packet filtering.

    I am going to set up to make more detailed checks/tests, but it will take time due to the NOD local proxy.


    - Stem
     
  8. Stem

    Stem Firewall Expert

    Joined:
    Oct 5, 2005
    Posts:
    4,948
    Location:
    UK
    Hello,

    After setting rules to "ask for all ICMP" and changing the options for logging, I am seeing some ICMP filtering taking place in the firewall logs.

    This is the firewall log of it being pinged from a remote node. the pings sent where just via the cmd:ping tool, so 4 pings where sent, but all timed out for replies.

    2009-03-08_215415.jpg

    The firewall log does show the ping first being detected as a "No application listening on the port" but then looks like the "Ask" rule is bing enforced and I should be seeing a popup to allow or deny the ICMP? but as I get no popup, the ICMP packet would I think then be dropped.


    - Stem
     
  9. MasterTB

    MasterTB Registered Member

    Joined:
    Jun 19, 2007
    Posts:
    547
    Location:
    Paran?, Argentina
    This is really frustrating.
    I thought that after so many water under the bridge, simple filtering like this would have been done right by Eset. After all, as you point out the Windows firewall can do it!
    Still I have a question:
    I was wondering thru the firewall and noticed that creating a rule for ICMP (being it protocol 1: Internet Control Message Protocol - according to the firewall) then I saw that to block a specific type of ICMP yo don't have an option... is it possoble that Eset omited this?
    I remember that when using XP and the built in firewall you had to disable ICMP on port 445 when enabling file sharing because by default windows would respond to pings on that port when prompted for a connection. Does ESS know to block this pings when they don't come from a trusted network? and if it does where does it say so?
     
Thread Status:
Not open for further replies.