Adding IPFW rules, need advise on ICMP (and others)
Results 1 to 6 of 6

Thread: Adding IPFW rules, need advise on ICMP (and others)

  1. #1
    Hi mom!
    Join Date
    Aug 2001
    Posts
    1,103

    Adding IPFW rules, need advise on ICMP (and others)

    At the moment I'm creating a new firewall using IPFW, and I'd like some advise.

    First of all, what kind of ICMP messages do I block? I'd like to ping my machine, so I guess I need ICMP-8? Furthermore, I read somewhere that ICMP REDIRECT and UNREACH (5 and 3) are used for DoS exclusively - is that right (and can I block hem)? Is it wise to just block everything altogether except 8 (and possibly 0) and be done with it, or do I need to be a bit more specific? What do you suggest?

    The machine acts as a NAT-gateway, WWW-server, sendmail host and runs MySQL, but only for applications on the machine itself. So far, I did this (consider the last 3 lines work-in-progress):

    Code:
    #for NAT
    00050 divert 8668 ip from any to any via fxp1
    
    00100 allow ip from any to any via lo0
    00200 deny ip from any to 127.0.0.0/8
    00300 deny ip from 127.0.0.0/8 to any
    
    # allow SSHd traffic
    01000 allow tcp from any to any 22 in
    01050 allow tcp from any 22 to any out established
    
    # allow webserver traffic 
    01800 allow tcp from any to any 80 in
    01850 allow tcp from any 80 to any out established
    
    # here starts logging, the allow ip from any to any has yet to be changed to 'deny'
    06400 allow log ip from any to any
    65000 allow ip from any to any
    65535 deny ip from any to any
    Any suggestions?
    I wish to express my gratitude to the people of Italy. Thank you for inventing pizza.

  2. #2
    Member
    Join Date
    May 2002
    Posts
    65
    Heya Guus,
    Not sure how much this is going to help you... I am pretty sure you can block them all besides 8 and 0 to just allow yourself to ping to and from the machine. I myself have a webserver running with all of them blocked, the webserver also runs some smtp, ftp (on a port other than 21) and has to connect to a sql machine and I haven't had any problems with any of those services connecting. I am pretty sure it won't effect NAT but as I've never done it I can't be sure. Hope this helps a little.

    Greg

  3. #3
    Senior Member
    Join Date
    Jun 2003
    Posts
    723
    how a bout,
    # ICMP packets
    ${fwcmd} add pass icmp from any to any via ${iif}
    ${fwcmd} add pass icmp from any to any via ${iifx}
    ${fwcmd} add pass icmp from any to any icmptypes 8 out via ${oif}
    ${fwcmd} add pass icmp from any to any icmptypes 0 in via ${oif}
    #${fwcmd} add pass icmp from any to any icmptypes 5 in via ${oif}
    ${fwcmd} add pass icmp from any to any icmptypes 3,4,11,12 via ${oif}
    ${fwcmd} add deny log icmp from any to any

    this is from a nat gateway with two internal nics iif ,iifx and one external, oif

    This is the standard from /etc/rc.firewall IIRC, A great little script. I would just modify it rather than writing your own, but if you are dead set on writing your own do a google search for onlamp + ipfw as dru lavinge has a couple great articles on ipfw , i did comment out icmp 5 and i really can't remember why off hand.
    Do unto others as you would have them do unto you.
    The international ban against torturing prisoners of war does not necessarily apply to suspects detained in America\'s war on terror, Attorney General John Ashcroft told a Senate oversight committee
    -- true colors revealed, a brown shirt and jackboots

  4. #4
    Hi mom!
    Join Date
    Aug 2001
    Posts
    1,103
    Thanks for the info, guys. Meanwhile, I talked to someone else that explained to me that by blocking ICMP-messages you don't really gain anything, except for breaking up the ip-traffic. Without good arguments, I'll keep "allow ICMP from any to any"
    I wish to express my gratitude to the people of Italy. Thank you for inventing pizza.

  5. #5
    Hi mom!
    Join Date
    Aug 2001
    Posts
    1,103
    hmm, I found this article, ICMP Stands For Trouble by Rik Farrow (networkmagazine.com), which changed my mind. It's conclusion:
    ICMP is really quite simple. It was designed to help IP work smoothly. For networks where security is not the priority, or if you are not preventing other types of scanning, you can leave ICMP traffic alone. However, for maximum security, only a few types of messages should be allowed through your firewall.
    The article has describes what messages to filter when, and why.
    I wish to express my gratitude to the people of Italy. Thank you for inventing pizza.

  6. #6
    Senior Member
    Join Date
    Jan 2002
    Posts
    1,207
    Obviously the sensible thing to do seems to be to use stateful firewalling and only allow ICMP which is related to a permitted existing connection.

    Then you will still get useful unreachables etc through, but should not have any unsolicited random IP leaking in.

    AFAIK, Linux ipfw (+ conntrack) and BSD firewalling can both do this.

    Slarty

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

 Security News

     Patches

       Security Trends

         How-To

           Buying Guides