RELATED ICMP packets of type 3

RELATED ICMP packets of type 3

[Mikhail Zotov]

Hello everybody,

I have written an iptables script to protect a machine/LAN
and I'd like to clarify an issue about RELATED ICMP packets
of type 3 (actually, mostly 3/1).

As far as I understand, it is safe to ACCEPT incoming
packets of this sort.
Is it safe to allow _outgoing_ packets of this kind?
Can an attacker make my machine generate such packets
in order to obtain information about it?  (All new
incoming packets are just DROPped.)


TIA,

Mikhail

Re: RELATED ICMP packets of type 3

[Jason Opperisano]

On Fri, Feb 11, 2005 at 05:57:16PM +0300, Mikhail Zotov wrote:
> Hello everybody,
> 
> I have written an iptables script to protect a machine/LAN
> and I'd like to clarify an issue about RELATED ICMP packets
> of type 3 (actually, mostly 3/1).
> 
> As far as I understand, it is safe to ACCEPT incoming
> packets of this sort.

yes.  personally (for whatever that is worth), i allow ICMP Types 3, 11,
and 12 [*].

> Is it safe to allow _outgoing_ packets of this kind?
> Can an attacker make my machine generate such packets
> in order to obtain information about it?  (All new
> incoming packets are just DROPped.)

yes.  an open plea to all firewall administrators:

  please stop breaking our Internet!!!

-j

* http://www.iana.org/assignments/icmp-parameters

--
"You couldn't fool your mother on the foolingest day of your life if
 you had an electrified fooling machine."
        --The Simpsons

Re: RELATED ICMP packets of type 3

[Cedric Blancher]

Le vendredi 11 février 2005 à 17:57 +0300, Mikhail Zotov a écrit :
> As far as I understand, it is safe to ACCEPT incoming
> packets of this sort.

As far as they're RELATED, you can assume theses packets to be
legitimate ones. So, yes it is safe to accept them. It is also necessary
to accept them if you want your IP stack to detect errors and be
functionnal. As an example, if you drop Fragmentation Needed packets
(type 3, code 4), you'll break PMTU Discovery...

> Is it safe to allow _outgoing_ packets of this kind?

For the same reason, yes, and for the sake of the Internet, do it. I'm
personnaly sick of theses dummy firewalls/admin who can't get ICMP
filtered correctly and break things, so you have to find workarounds all
the time. As an example, see why you have to adjust TCPMSS on PPPoE DSL
lines...

> Can an attacker make my machine generate such packets
> in order to obtain information about it?  (All new
> incoming packets are just DROPped.)

If NEW packets are droped, then IP packets are not evaluated, then you
most certainly won't have ICMP errors sent back...

Netfilter gives you a mecanism to identify legitimate ICMP errors using
conntrack. If you trust Netfilter conntrack, use it.


-- 
http://sid.rstack.org/
PGP KeyID: 157E98EE FingerPrint: FA62226DA9E72FA8AECAA240008B480E157E98EE
>> Hi! I'm your friendly neighbourhood signature virus.
>> Copy me to your signature file and help me spread!

Re: [OBORONA-SPAM] Re: RELATED ICMP packets of type 3

[Mikhail Zotov]

On Friday 11 February 2005 18:06, Jason Opperisano wrote:
> On Fri, Feb 11, 2005 at 05:57:16PM +0300, Mikhail Zotov wrote:
> > Hello everybody,
> > 
> > I have written an iptables script to protect a machine/LAN
> > and I'd like to clarify an issue about RELATED ICMP packets
> > of type 3 (actually, mostly 3/1).
> > 
> > As far as I understand, it is safe to ACCEPT incoming
> > packets of this sort.
> 
> yes.  personally (for whatever that is worth), i allow ICMP Types 3, 11,
> and 12 [*].

Thank you for the reply!
I do ACCEPT ICMP packets of types 11 and 12, too.

> > Is it safe to allow _outgoing_ packets of this kind?
> > Can an attacker make my machine generate such packets
> > in order to obtain information about it?  (All new
> > incoming packets are just DROPped.)
> 
> yes.

Does "yes" correspond to "Is it safe...?" or to "Can an attacker..."?

Regards,
Mikhail

Re: RELATED ICMP packets of type 3

[Victor Julien]

> yes.  personally (for whatever that is worth), i allow ICMP Types 3, 11,
> and 12 [*].

Will these all be accepted by the accepting all RELATED packets? Or do i need 
extra rules to allow them?

Regards,
Victor

Re: RELATED ICMP packets of type 3

[Mikhail Zotov]

On Friday 11 February 2005 18:27, Cedric Blancher wrote:
> Le vendredi 11 février 2005 à 17:57 +0300, Mikhail Zotov a écrit :
> > As far as I understand, it is safe to ACCEPT incoming
> > packets of this sort.
> 
> As far as they're RELATED, you can assume theses packets to be
> legitimate ones. So, yes it is safe to accept them. It is also necessary
> to accept them if you want your IP stack to detect errors and be
> functionnal. As an example, if you drop Fragmentation Needed packets
> (type 3, code 4), you'll break PMTU Discovery...
> 
> > Is it safe to allow _outgoing_ packets of this kind?
> 
> For the same reason, yes, and for the sake of the Internet, do it.

Thanks a lot for your comprehensive answer!
Thus, do I understand it correctly that I should and can safely 
accept _all_ RELATED ICMP messages, both incoming and outgoing?

> I'm personnaly sick of theses dummy firewalls/admin who can't get ICMP
> filtered correctly and break things, so you have to find workarounds all
> the time.

I get your point.  Unfortunately, I have failed to find a clear explanation
of proper dealing with ICMP packets.  This mailing list was my last hope. :-)

Regards,
Mikhail

Re: RELATED ICMP packets of type 3

[Jason Opperisano]

On Fri, Feb 11, 2005 at 04:41:19PM +0100, Victor Julien wrote:
> > yes.  personally (for whatever that is worth), i allow ICMP Types 3, 11,
> > and 12 [*].
> 
> Will these all be accepted by the accepting all RELATED packets? Or do i need 
> extra rules to allow them?

in theory--they are RELATED.  in practice, i allow them explicitly.
looking at one of my firewalls, it appears as though there are ICMP Type
3 packets that get past the RELATED rule and hit the explicit allow rule,
but the counters for the explicit allow for types 11 and 12 are at 0.

-j

--
"Me lose brain? Uh, oh! Ha ha ha! Why I laugh?"
        --The Simpsons

Re: RELATED ICMP packets of type 3

[Jason Opperisano]

On Fri, Feb 11, 2005 at 05:02:09PM +0100, Cedric Blancher wrote:
> Le vendredi 11 février 2005 à 10:49 -0500, Jason Opperisano a écrit :
> > in theory--they are RELATED.  in practice, i allow them explicitly.
> > looking at one of my firewalls, it appears as though there are ICMP Type
> > 3 packets that get past the RELATED rule and hit the explicit allow rule,
> 
> Did you have a look at one of them, just to see if it's a legitimate
> one ? I have experienced some troubles with DNS and port unreachable on
> very slow links, but that was quite unusual.

nah--i don't log them.  truthfully, they probably aren't legitimate...but
i'm not terrified of ICMP enough to really be concerned about it.
i'd rather err on the side of allowing too much ICMP than not enough.

-j

--
"Alright brain, you don't like me and I don't like you. But let's just
 get through this and then I can get back to killing you with beer."
        --The Simpsons

Re: RELATED ICMP packets of type 3

[Cedric Blancher]

Le vendredi 11 février 2005 à 18:44 +0300, Mikhail Zotov a écrit :
> Thus, do I understand it correctly that I should and can safely 
> accept _all_ RELATED ICMP messages, both incoming and outgoing?

As far as you consider Netfilter conntrack safe, yes.


-- 
http://sid.rstack.org/
PGP KeyID: 157E98EE FingerPrint: FA62226DA9E72FA8AECAA240008B480E157E98EE
>> Hi! I'm your friendly neighbourhood signature virus.
>> Copy me to your signature file and help me spread!

Re: RELATED ICMP packets of type 3

[Cedric Blancher]

Le vendredi 11 février 2005 à 10:49 -0500, Jason Opperisano a écrit :
> in theory--they are RELATED.  in practice, i allow them explicitly.
> looking at one of my firewalls, it appears as though there are ICMP Type
> 3 packets that get past the RELATED rule and hit the explicit allow rule,

Did you have a look at one of them, just to see if it's a legitimate
one ? I have experienced some troubles with DNS and port unreachable on
very slow links, but that was quite unusual.


-- 
http://sid.rstack.org/
PGP KeyID: 157E98EE FingerPrint: FA62226DA9E72FA8AECAA240008B480E157E98EE
>> Hi! I'm your friendly neighbourhood signature virus.
>> Copy me to your signature file and help me spread!

Re: RELATED ICMP packets of type 3

[Victor Julien]

On Friday 11 February 2005 17:02, Cedric Blancher wrote:
> Le vendredi 11 février 2005 à 10:49 -0500, Jason Opperisano a écrit :
> > in theory--they are RELATED.  in practice, i allow them explicitly.
> > looking at one of my firewalls, it appears as though there are ICMP Type
> > 3 packets that get past the RELATED rule and hit the explicit allow rule,
>
> Did you have a look at one of them, just to see if it's a legitimate
> one ? I have experienced some troubles with DNS and port unreachable on
> very slow links, but that was quite unusual.

So Cedric, you are basicly saying that if i accept RELATED icmp packets i 
_should_ be a good internet-citizen?

Regards,
Victor

Re: RELATED ICMP packets of type 3

[Cedric Blancher]

Le vendredi 11 février 2005 à 17:08 +0100, Victor Julien a écrit :
> So Cedric, you are basicly saying that if i accept RELATED icmp packets i 
> _should_ be a good internet-citizen?

I wouldn't say that this way. Imho good internet-citizen should accept
RELATED ICMP packets.
I say droping legitimate ICMP errors is harmful. Netfilter provides a
way to spot theses packets an accept them, so you can behave as a good
Internet citizen not breaking other people stuff (breaking yours is your
deal) ;)


-- 
http://sid.rstack.org/
PGP KeyID: 157E98EE FingerPrint: FA62226DA9E72FA8AECAA240008B480E157E98EE
>> Hi! I'm your friendly neighbourhood signature virus.
>> Copy me to your signature file and help me spread!