Help with ICMP Ruls

Help with ICMP Ruls

[Real Cucumber]

I'm trying to determine the best practice for allowing
the required ICMP messages to ensure stable
networking, while at the same time not allowing pings
or other unnecessary parts.

The server these rules are going to be added on is
just a packet forwarding firewall using fedora2 and
iptables, and it for now just forwards incoming SSH
packets to an Internal server.  So far SSH connections
are working fine though, but I've had much feedback
suggestions I enable ICMP.

The internal SSH server is not blocking ICMP.

The fedora box in front of it is not allowing ICMP at
all (for Input, Output, and Forward).

What I'd like to know is what are the recommended
allowed ICMP messages for me to set on the Fedora box?

Shoudl I just allow all ICMP to be forwarded or just
the four basic control/status messages (source quench,
parameter problem, incoming destination unreachable,
outgoing destination unreachable of subtype
fragmentation).

Also do I need to allow those in all 3 chains or just
the forward since it does not allow direct connections
to it anyhow?




		
__________________________________
Do you Yahoo!?
Yahoo! Mail - 50x more storage than other providers!
http://promotions.yahoo.com/new_mail

Re: Help with ICMP Ruls

[Antony Stone]

On Thursday 15 July 2004 6:03 pm, Real Cucumber wrote:

> I'm trying to determine the best practice for allowing
> the required ICMP messages to ensure stable
> networking, while at the same time not allowing pings
> or other unnecessary parts.

Personally, I simply use the ICMP types which are matched by "-m state --state 
RELATED".   They seem to do enough for me.

> Also do I need to allow those in all 3 chains or just
> the forward since it does not allow direct connections
> to it anyhow?

I would allow the firewall to send ICMP messages through its OUTPUT chain, and 
if it can generate any connections from itself, then you should allow them in 
through the INPUT chain as well, however you say you do not allow outgoing 
connections (not even DNS??), so this may not be needed.

Regards,

Antony.

-- 
"The future is already here.   It's just not evenly distributed yet."

 - William Gibson

                                                     Please reply to the list;
                                                           please don't CC me.

Re: Help with ICMP Ruls

[Real Cucumber]

> I would allow the firewall to send ICMP messages
> through its OUTPUT chain, and 
> if it can generate any connections from itself, then
> you should allow them in 
> through the INPUT chain as well, however you say you
> do not allow outgoing 
> connections (not even DNS??), so this may not be
> needed.

The fedora box doesn't do dns or anything. It's sole
purpose is a packet forwarding router that doesnt'
allow any input or output, just forwards.  Currently
it only forwards SSH packets. I may add other
forwarding later but the idea is the same still, no
direct incoming/outgoing connections to it, just
forwards.

That is why I'm not sure if I need ICMP supported on
it or not, and not sure where do add the ICMP support
(input, output, forward).


		
__________________________________
Do you Yahoo!?
New and Improved Yahoo! Mail - Send 10MB messages!
http://promotions.yahoo.com/new_mail 

Re: Help with ICMP Ruls

[Antony Stone]

On Thursday 15 July 2004 8:21 pm, Real Cucumber wrote:

> > I would allow the firewall to send ICMP messages through its OUTPUT chain,
> > and if it can generate any connections from itself, then you should allow
> > them in through the INPUT chain as well, however you say you do not allow
> > outgoing connections (not even DNS??), so this may not be needed.
>
> The fedora box doesn't do dns or anything. It's sole purpose is a packet
> forwarding router that doesnt' allow any input or output, just forwards.
>
> That is why I'm not sure if I need ICMP supported on it or not, and not sure
> where do add the ICMP support (input, output, forward).

I would allow the machine to forward ICMP messages which are RELATED to the 
existing SSH sessions, so that means the rule should go in the FORWARD chain.

If you want more specific advice, please post the current ruleset.

Regards,

Antony.

-- 
In Heaven, the police are British, the chefs are Italian, the beer is Belgian, 
the mechanics are German, the lovers are French, the entertainment is 
American, and everything is organised by the Swiss.

In Hell, the police are German, the chefs are British, the beer is American, 
the mechanics are French, the lovers are Swiss, the entertainment is Belgian, 
and everything is organised by the Italians.

                                                     Please reply to the list;
                                                           please don't CC me.

Re: Help with ICMP Ruls

[Aleksandar Milivojevic]

Real Cucumber wrote:
> That is why I'm not sure if I need ICMP supported on
> it or not, and not sure where do add the ICMP support
> (input, output, forward).

You need it in FORWARD, that's obvious.  You also need it in OUTPUT 
because ICMP packets can be generated on your forwarding machine too. 
For example, if it fails to pass the packet to the next hop, it will 
generate "no route to host/network" message back to originating host 
(this ICMP packet will have source address of forwarding machine, so it 
goes to OUTPUT chain).  More examples of ICMP packets generated on your 
forwarding machine (as result of receiving a packet that should be 
forwarded) would be traceroute (which works by exploiting TTL exceeded) 
and path MTU discovery (which works by exploiting don't fragment bit).

Note that removing match for RELATED from INPUT chain does not gain you 
much (other than one line less in rules).  If your machine only forwards 
packets, no ICMP that ends up in INPUT chain will ever be in RELATED 
state (it will be in either NEW or INVALID states).

-- 
Aleksandar Milivojevic <amilivojevic@pbl.ca>    Pollard Banknote Limited
Systems Administrator                           1499 Buffalo Place
Tel: (204) 474-2323 ext 276                     Winnipeg, MB  R3T 1L7