Re: ICMP types - Mogens Valentin

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Mogens Valentin <monz@danbbs.dk>
To: 'Netfilter list' <netfilter@lists.netfilter.org>
Subject: Re: ICMP types
Date: Sat, 30 Apr 2005 14:23:24 +0200	[thread overview]
Message-ID: <427378BC.6070804@danbbs.dk> (raw)
In-Reply-To: <000101c54cf4$955d5460$6363a8c0@compaq>

Ken Hilliard wrote:
 > In reading different firewall scripts/tutorials many of them recommend
 > filtering ICMP packets. I added ICMP filter in my firewall but was
 > unsure of the value as well. What is the consensus view out there?

Not wanting to comment what the consensus are, but some types are 
generally considered nessesary to filter/allow.

But its really not just a matter of filtering this-or-that, also what's 
set in /proc . There's a lot to read...
A few ideas:

Filtering ICMP:

### Define icmp_packets chain:
     $IPT -F icmp_packets
     $IPT -X icmp_packets
     $IPT -N icmp_packets
     $IPT -A icmp_packets -p icmp --icmp-type echo-request -j ACCEPT
     $IPT -A icmp_packets -p icmp --icmp-type echo-reply -j ACCEPT
     $IPT -A icmp_packets -p icmp --icmp-type destination-unreachable -j 
ACCEPTlog
     $IPT -A icmp_packets -p icmp --icmp-type network-unreachable -j 
ACCEPTlog
     $IPT -A icmp_packets -p icmp --icmp-type network-prohibited -j 
ACCEPTlog
     $IPT -A icmp_packets -p icmp --icmp-type source-quench -j ACCEPTlog
     $IPT -A icmp_packets -p icmp --icmp-type parameter-problem -j ACCEPTlog
     $IPT -A icmp_packets -p icmp --icmp-type time-exceeded -j ACCEPTlog
     $IPT -A icmp_packets -p icmp --icmp-type fragmentation-needed -j 
ACCEPTlog
     #$IPT -A icmp_packets -p icmp -j ACCEPTlog
     $IPT -A icmp_packets -p icmp -j LOG



A few /proc settings:

### /proc settings:
     setup_procfs() {

       # Disable forwarding while setting up rules (needed for 
masquerading):
       # Note: this is now done in forwarding.def
           #echo "0" >/proc/sys/net/ipv4/ip_forward

       # Initially, disable ICMP echo-requests altogether (normally only 
used if DoSed):
       # Note: this is now done in forwarding.def
           #echo "1" >/proc/sys/net/ipv4/icmp_echo_ignore_all

       # Disable ICMP echo-request to broadcast addresses (Smurf amplifier):
           echo "1" >/proc/sys/net/ipv4/icmp_echo_ignore_broadcasts

       # Enable syn-cookies (prevent syn-flood attacks):
           echo "1" >/proc/sys/net/ipv4/tcp_syncookies

       # Reduce number of possible SYN Floods:
           echo "1024" >/proc/sys/net/ipv4/tcp_max_syn_backlog

       # Enable defrag error protection:
           echo 1 > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses

       # Enable time-wait assassination hazards in tcp (RFC 1337):
           echo "1" >/proc/sys/net/ipv4/tcp_rfc1337

       # Prevent remote digging of OS-type and uptime (RFC1323):
           #echo "1" >/proc/sys/net/ipv4/tcp_timestamps    # enable 
timestamps
           echo "0" >/proc/sys/net/ipv4/tcp_timestamps    # disable 
timestamps

       # Disable RFC2018 TCP Selective Acknowledgements:
           echo 0 > /proc/sys/net/ipv4/tcp_sack


       # Sourcerouting and spoofing:
           for i in /proc/sys/net/ipv4/conf/*; do
               # Drop all source-routed packets:
               echo "0" >$i/accept_source_route

               # Deactivate normal ICMP redirect accept/send:
               echo "0" >$i/accept_redirects
               echo "0" >$i/send_redirects

               # Activate secure ICMP redirects (send only?) (on by 
default):
               echo "1" >$i/secure_redirects

               # Enable ingress + egress source-address verification 
(prevent spoofing):
               #echo "0" >$i/rp_filter   # disable
               echo "1" >$i/rp_filter   # enable
           done

       # Log spoofed, source routed and redirect packets:
           #echo 1 >/proc/sys/net/ipv4/conf/all/log_martians
           echo 0 >/proc/sys/net/ipv4/conf/all/log_martians

     }

-- 
Kind regards,
Mogens Valentin


Q: How does a hacker fix a function which doesn't
    work for all of the elements in its domain?
A: He changes the domain.
   -- unknown

next prev parent reply	other threads:[~2005-04-30 12:23 UTC|newest]

Thread overview: 11+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2005-04-30  9:53 ICMP types varun_saa
2005-04-30 10:28 ` Sertys
2005-04-29 19:49   ` Ken Hilliard
2005-04-30 12:23     ` Mogens Valentin [this message]
2005-04-30 22:35       ` Alexander Samad
2005-04-30 23:40         ` Mogens Valentin
2005-04-30 22:55 ` Taylor, Grant
2005-04-30 23:22   ` R. DuFresne
2005-04-30 23:36     ` Taylor, Grant
2005-04-30 23:53       ` R. DuFresne
2005-05-01  3:29 ` Dean Anderson

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=427378BC.6070804@danbbs.dk \
    --to=monz@danbbs.dk \
    --cc=netfilter@lists.netfilter.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.