Adding IPFW rules, need advise on ICMP (and others)

[Guus]

At the moment I'm creating a new firewall using IPFW, and I'd like some advise.

First of all, what kind of ICMP messages do I block? I'd like to ping my machine, so I guess I need ICMP-8? Furthermore, I read somewhere that ICMP REDIRECT and UNREACH (5 and 3) are used for DoS exclusively - is that right (and can I block hem)? Is it wise to just block everything altogether except 8 (and possibly 0) and be done with it, or do I need to be a bit more specific? What do you suggest?

The machine acts as a NAT-gateway, WWW-server, sendmail host and runs MySQL, but only for applications on the machine itself. So far, I did this (consider the last 3 lines work-in-progress):

Code:

#for NAT
00050 divert 8668 ip from any to any via fxp1

00100 allow ip from any to any via lo0
00200 deny ip from any to 127.0.0.0/8
00300 deny ip from 127.0.0.0/8 to any

# allow SSHd traffic
01000 allow tcp from any to any 22 in
01050 allow tcp from any 22 to any out established

# allow webserver traffic 
01800 allow tcp from any to any 80 in
01850 allow tcp from any 80 to any out established

# here starts logging, the allow ip from any to any has yet to be changed to 'deny'
06400 allow log ip from any to any
65000 allow ip from any to any
65535 deny ip from any to any

Any suggestions?

[waytallgel]

Heya Guus,
Not sure how much this is going to help you... I am pretty sure you can block them all besides 8 and 0 to just allow yourself to ping to and from the machine. I myself have a webserver running with all of them blocked, the webserver also runs some smtp, ftp (on a port other than 21) and has to connect to a sql machine and I haven't had any problems with any of those services connecting. I am pretty sure it won't effect NAT but as I've never done it I can't be sure. Hope this helps a little.

Greg

[lumpyporridge]

how a bout,
# ICMP packets
${fwcmd} add pass icmp from any to any via ${iif}
${fwcmd} add pass icmp from any to any via ${iifx}
${fwcmd} add pass icmp from any to any icmptypes 8 out via ${oif}
${fwcmd} add pass icmp from any to any icmptypes 0 in via ${oif}
#${fwcmd} add pass icmp from any to any icmptypes 5 in via ${oif}
${fwcmd} add pass icmp from any to any icmptypes 3,4,11,12 via ${oif}
${fwcmd} add deny log icmp from any to any

this is from a nat gateway with two internal nics iif ,iifx and one external, oif

This is the standard from /etc/rc.firewall IIRC, A great little script. I would just modify it rather than writing your own, but if you are dead set on writing your own do a google search for onlamp + ipfw as dru lavinge has a couple great articles on ipfw , i did comment out icmp 5 and i really can't remember why off hand.

[Guus]

Thanks for the info, guys. Meanwhile, I talked to someone else that explained to me that by blocking ICMP-messages you don't really gain anything, except for breaking up the ip-traffic. Without good arguments, I'll keep "allow ICMP from any to any"

[Guus]

hmm, I found this article, ICMP Stands For Trouble by Rik Farrow (networkmagazine.com), which changed my mind. It's conclusion:

ICMP is really quite simple. It was designed to help IP work smoothly. For networks where security is not the priority, or if you are not preventing other types of scanning, you can leave ICMP traffic alone. However, for maximum security, only a few types of messages should be allowed through your firewall.

The article has describes what messages to filter when, and why.

[slarty]

Obviously the sensible thing to do seems to be to use stateful firewalling and only allow ICMP which is related to a permitted existing connection.

Then you will still get useful unreachables etc through, but should not have any unsolicited random IP leaking in.

AFAIK, Linux ipfw (+ conntrack) and BSD firewalling can both do this.

Slarty