ICMP and connection tracking

ICMP and connection tracking

[Aleksandar Milivojevic]

Are ICMP packets related to new and established TCP connections and UDP 
traffic considered to be part of them, or do I need to have explicit 
rules like

    -A INPUT -p icmp -m state --state RELATED -j ACCEPT

for things like path MTU discovery, traceroute, ICMP port unreachables, 
and so on to work properly?

Any downsides of using generic rule like above (if it is needed)?

-- 
Aleksandar Milivojevic <amilivojevic@pbl.ca>    Pollard Banknote Limited
Systems Administrator                           1499 Buffalo Place
Tel: (204) 474-2323 ext 276                     Winnipeg, MB  R3T 1L7

Re: ICMP and connection tracking

[Antony Stone]

On Thursday 20 May 2004 4:06 pm, Aleksandar Milivojevic wrote:

> Are ICMP packets related to new and established TCP connections and UDP
> traffic considered to be part of them,

An ICMP packet which is returned in response to a previously sent TCP or UDP 
packet is considered to be RELATED.

ICMP packets are often regarded as the "error messages" of the Internet, and 
usualy arise in relation to UDP packets (which don't have their own 
error-detection and correction mechanism), rather than TCP packets (which 
have things like the SYN, SYN-ACK, ACK three way handshake, and sequence / 
acknowledgement numbers to ensure reception of what got sent).

> or do I need to have explicit rules like
>
>     -A INPUT -p icmp -m state --state RELATED -j ACCEPT
>
> for things like path MTU discovery, traceroute, ICMP port unreachables,
> and so on to work properly?

Nothing wrong with the above rule, however remember that it isn't only ICMP 
packets which are considered to be RELATED - in an FTP connection, for 
example, the reverse (data) connection is considered to be RELATED to the 
original (control) connection, even though it's another TCP link, not ICMP.

> Any downsides of using generic rule like above (if it is needed)?

Most people use an even *more* generic rule:

iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

Thus allowing back any sort of reply to a previously sent packet (controlled 
by the rules in your OUTPUT chain).

Regards,

Antony.

-- 
"I estimate there's a world market for about five computers."

 - Thomas J Watson, Chairman of IBM

                                                     Please reply to the list;
                                                           please don't CC me.

Re: ICMP and connection tracking

[Aleksandar Milivojevic]

Antony Stone wrote:
> On Thursday 20 May 2004 4:06 pm, Aleksandar Milivojevic wrote:
> 
>>Are ICMP packets related to new and established TCP connections and UDP
>>traffic considered to be part of them,
> 
> An ICMP packet which is returned in response to a previously sent TCP or UDP 
> packet is considered to be RELATED.

Thanks.  This preaty much answers my question.

>>or do I need to have explicit rules like
>>
>>    -A INPUT -p icmp -m state --state RELATED -j ACCEPT
>>
>>for things like path MTU discovery, traceroute, ICMP port unreachables,
>>and so on to work properly?
> 
> Nothing wrong with the above rule, however remember that it isn't only ICMP 
> packets which are considered to be RELATED - in an FTP connection, for 
> example, the reverse (data) connection is considered to be RELATED to the 
> original (control) connection, even though it's another TCP link, not ICMP.

Yup, I'm aware of that part.

>>Any downsides of using generic rule like above (if it is needed)?
> 
> Most people use an even *more* generic rule:
> 
> iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

Actually, the orginal question was prompted because I'm avoiding this 
more generic rule :-)

-- 
Aleksandar Milivojevic <amilivojevic@pbl.ca>    Pollard Banknote Limited
Systems Administrator                           1499 Buffalo Place
Tel: (204) 474-2323 ext 276                     Winnipeg, MB  R3T 1L7