ICMP Rule Problem

ICMP Rule Problem

[David C. Hart]

[-- Attachment #1: Type: text/plain, Size: 259 bytes --]

Should this not reject echo requests?

-A INPUT -p icmp -m icmp --icmp-type 0 -j REJECT --reject-with
icmp-net-prohibited

It doesn't seem to work.

                               ---------
            Quality Management - A Commitment to Excellence

[-- Attachment #2: This is a digitally signed message part --]
[-- Type: application/pgp-signature, Size: 189 bytes --]

Re: ICMP Rule Problem

[David C. Hart]

[-- Attachment #1: Type: text/plain, Size: 484 bytes --]

On Mon, 2004-02-02 at 12:11, an unknown sender wrote:
> On February 2, 2004 12:02 pm, David C. Hart wrote:
> > -A INPUT -p icmp -m icmp --icmp-type 0 -j REJECT --reject-with
> > icmp-net-prohibited
> >
> > It doesn't seem to work.
> 	Please see Maicej's reply to a similar thread ... 
> 	you need kernel > 2.4.21 and iptables > 1.2.8
> 	
Kernel = 2.4.24 IPTables = 1.2.9
                               ---------
            Quality Management - A Commitment to Excellence

[-- Attachment #2: This is a digitally signed message part --]
[-- Type: application/pgp-signature, Size: 189 bytes --]

Re: ICMP Rule Problem

[Unknown, Alistair Tonner]

On February 2, 2004 12:16 pm, David C. Hart wrote:
> On Mon, 2004-02-02 at 12:11, an unknown sender wrote:
> > On February 2, 2004 12:02 pm, David C. Hart wrote:
> > > -A INPUT -p icmp -m icmp --icmp-type 0 -j REJECT --reject-with
> > > icmp-net-prohibited
> > >
> > > It doesn't seem to work.
> >
> > 	Please see Maicej's reply to a similar thread ...
> > 	you need kernel > 2.4.21 and iptables > 1.2.8
>
> Kernel = 2.4.24 IPTables = 1.2.9


	*urmp*
	Prowled the source -- linux default icmp headers don't seem to include
	"prohibited" -- appears to come from iptables and is 
	network-prohibited (there doesn't seem to be a short match function there) 
	is func 3 code 9  from what I can tell....
	(but heck -- I could be wrong)


	Alistair.

>                                ---------
>             Quality Management - A Commitment to Excellence

RE: ICMP Rule Problem

[Mark E. Donaldson]

ICMP Type 0 is an echo reply.  Request (ping) is Type 8. 

-----Original Message-----
From: David C. Hart [mailto:dch@TQMcube.com] 
Sent: Monday, February 02, 2004 9:03 AM
To: Iptables Mailing List
Subject: ICMP Rule Problem

Should this not reject echo requests?

-A INPUT -p icmp -m icmp --icmp-type 0 -j REJECT --reject-with
icmp-net-prohibited

It doesn't seem to work.

                               ---------
            Quality Management - A Commitment to Excellence

Re: ICMP Rule Problem

[Antony Stone]

On Monday 02 February 2004 5:02 pm, David C. Hart wrote:

> Should this not reject echo requests?
>
> -A INPUT -p icmp -m icmp --icmp-type 0 -j REJECT --reject-with
> icmp-net-prohibited
>
> It doesn't seem to work.

Never mind that, you're not allowed to respond to ICMP packets with ICMP
errors.

See RFC792 page 1.

Regards,

Antony.

--
Abandon hope, all ye who enter here.
You'll feel much better about things once you do.

                                                     Please reply to the list;
                                                           please don't CC me.

Re: ICMP Rule Problem

[Kiran Kumar]

--- Antony Stone <Antony@Soft-Solutions.co.uk> wrote:
> Never mind that, you're not allowed to respond to
> ICMP packets with ICMP
> errors.
> 
> See RFC792 page 1.

  Wrong. You are not allowed to respond to ICMP
_errors_ with ICMP errors, what else does ping mean by
giving error messages like "Destination Host
Unreachable" ?.


=====
Regards,
Kiran Kumar Immidi

__________________________________
Do you Yahoo!?
Yahoo! SiteBuilder - Free web site building tool. Try it!
http://webhosting.yahoo.com/ps/sb/

Re: ICMP Rule Problem

[Antony Stone]

On Tuesday 03 February 2004 1:24 pm, Kiran Kumar wrote:

> --- Antony Stone <Antony@Soft-Solutions.co.uk> wrote:
> > Never mind that, you're not allowed to respond to
> > ICMP packets with ICMP
> > errors.
> >
> > See RFC792 page 1.
>
>   Wrong. You are not allowed to respond to ICMP
> _errors_ with ICMP errors, what else does ping mean by
> giving error messages like "Destination Host
> Unreachable" ?.

Hm.   I was only quoting from RFC792: "The ICMP messages typically report 
errors in the processing of datagrams.  To avoid the infinite regress of 
messages about messages etc., no ICMP messages are sent about ICMP messages."

Perhaps this isn't quite as clear or specific as it should be?

Antony.

-- 
These clients are often infected by viruses or other malware and need to be 
fixed.  If not, the user at that client needs to be fixed...

 - Henrik Nordstrom, on Squid user's mailing list

                                                     Please reply to the list;
                                                           please don't CC me.

Re: ICMP Rule Problem

[Maciej Soltysiak]

> Hm.   I was only quoting from RFC792: "The ICMP messages typically report
> errors in the processing of datagrams.  To avoid the infinite regress of
> messages about messages etc., no ICMP messages are sent about ICMP
messages."
>
> Perhaps this isn't quite as clear or specific as it should be?
It sure is.
echo replies for echo requests
echo dest unreachs for eg. echo requests or timestamp requests, etc.
all are fine and seen normally in networks and on the Internet.

We are not supposed to send error messages for error messages:
eg. dest unreach for ttl-expired.
We are allowed to use error messages for information messages:
eg. ttl-expired for timestamp requests,
      net-prohib for echo replies (eg. nonstateful replies that could
      suggest inverse mapping of our network)

To conclude the issue:
- use "-p icmp --icmp-type 8/0" for matching echo requests (type 8, code 0)
- using -j REJECT --reject-with net-prohib does not require a fresh kernel
   and iptables. Only admin-prohib does.
- Yes, you are allowed in terms of RFCs to send back net-prohib for echo
   requests.

Regards,
Maciej

RE: ICMP Rule Problem

[Mark E. Donaldson]

The answer lies within RFC 1122 which states "that an ICMP error message
should not be sent as the result of receiving another ICMP error message."
However, An ICMP message can be sent in response to an ICMP query message,
which is what an echo request is, and is the source of the question that
started this thread. 

-----Original Message-----
From: netfilter-admin@lists.netfilter.org
[mailto:netfilter-admin@lists.netfilter.org] On Behalf Of Kiran Kumar
Sent: Tuesday, February 03, 2004 5:24 AM
To: Netfilter Mailing List
Subject: Re: ICMP Rule Problem

--- Antony Stone <Antony@Soft-Solutions.co.uk> wrote:
> Never mind that, you're not allowed to respond to ICMP packets with 
> ICMP errors.
> 
> See RFC792 page 1.

  Wrong. You are not allowed to respond to ICMP _errors_ with ICMP errors,
what else does ping mean by giving error messages like "Destination Host
Unreachable" ?.


=====
Regards,
Kiran Kumar Immidi

__________________________________
Do you Yahoo!?
Yahoo! SiteBuilder - Free web site building tool. Try it!
http://webhosting.yahoo.com/ps/sb/