From owner-freebsd-security  Tue Jun 27 11:19: 7 2000
Delivered-To: freebsd-security@freebsd.org
Received: from gndrsh.dnsmgr.net (GndRsh.dnsmgr.net [198.145.92.4])
	by hub.freebsd.org (Postfix) with ESMTP id 02D8937C28E
	for <freebsd-security@FreeBSD.ORG>; Tue, 27 Jun 2000 11:18:46 -0700 (PDT)
	(envelope-from freebsd@gndrsh.dnsmgr.net)
Received: (from freebsd@localhost)
	by gndrsh.dnsmgr.net (8.9.3/8.9.3) id LAA92561;
	Tue, 27 Jun 2000 11:18:37 -0700 (PDT)
	(envelope-from freebsd)
From: "Rodney W. Grimes" <freebsd@gndrsh.dnsmgr.net>
Message-Id: <200006271818.LAA92561@gndrsh.dnsmgr.net>
Subject: Re: icmp type 3 code 4: a couple of questions
In-Reply-To: <3958E1C5.18593553@origen.com> from Richard Martin at "Jun 27, 2000 10:17:57 am"
To: dmartin@origen.com (Richard Martin)
Date: Tue, 27 Jun 2000 11:18:36 -0700 (PDT)
Cc: bartequi@inwind.it (Salvo Bartolotta),
	freebsd-security@FreeBSD.ORG
X-Mailer: ELM [version 2.4ME+ PL54 (25)]
MIME-Version: 1.0
Content-Type: text/plain; charset=US-ASCII
Content-Transfer-Encoding: 7bit
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org

> Add:
> 
>     /sbin/ipfw add pass icmp from ${oip} to any icmptypes ${icmpallow}
>     /sbin/ipfw add pass icmp from any to ${oip} icmptypes ${icmpallow}
>     /sbin/ipfw add deny log icmp from any to any
> 
> this lets the firewall machine ping in and out (used by Big Brother), but
> stops those not very useful, and blocks all ICMP to other machines past
> the firewall
> 
> Substitute in the ICMP types you want to allow each way, you can specify
> different  ones both in and out.
> 
> We use
> 
>     icmpallow="0,3,4,5,8,11,12,14,16,18"
> 
> I wonder if anyone has any comments on the appropriateness of these
> 

4=ICMP_SOURCEQUENCH, useless as most machines ignore it, can be
	abused easily.
5=ICMP_REDIRECT, you don't want that one can be used to redirect
	traffic to unwanted places.
14=ICMP_TSTAMPREPLY, useless without 13=ICMP_TSTAMP.
18=ICMP_MASKREPLY, useless without 17=ICMP_MASKREQ

We usually run
icmpallow="0,3,8,11"
with special rules to allow 5 on the inside only.
We don't allow 12, and we don't see hits due to this, except for abuse.

Complete rule set looks like this:
01000   23000   1969619 allow icmp from any to any icmptype 0,3,4,8,11
01010       0         0 allow icmp from any to any via dc0 icmptype 5
01010       0         0 allow icmp from any to any via dc1 icmptype 5
01010       0         0 allow icmp from any to any via dc2 icmptype 5
01010       0         0 allow icmp from any to any via dc3 icmptype 5
01020       0         0 deny log logamount 100 icmp from any to any

(Note that the counts are not very high here, due to data collection
resetting the rules ever few hour.)

-- 
Rod Grimes - KD7CAX @ CN85sl - (RWG25)               rgrimes@gndrsh.dnsmgr.net


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message