[AusNOG] network security Question

Joseph Goldman joe at apcs.com.au
Tue May 20 15:45:41 EST 2014


Funnily enough, I am preparing some routers for production and 
configuring firewalls for this very reason, so have recently found a 
list ready for ICMP blocking:

add chain=icmp protocol=icmp icmp-options=0:0 action=accept \
  	comment="echo reply"
add chain=icmp protocol=icmp icmp-options=3:0 action=accept \
  	comment="net unreachable"
add chain=icmp protocol=icmp icmp-options=3:1 action=accept \
  	comment="host unreachable"
add chain=icmp protocol=icmp icmp-options=3:4 action=accept \
  	comment="host unreachable fragmentation required"
add chain=icmp protocol=icmp icmp-options=4:0 action=accept \
  	comment="allow source quench"
add chain=icmp protocol=icmp icmp-options=8:0 action=accept \
  	comment="allow echo request"
add chain=icmp protocol=icmp icmp-options=11:0 action=accept \
  	comment="allow time exceed"
add chain=icmp protocol=icmp icmp-options=12:0 action=accept \
  	comment="allow parameter bad"
add chain=icmp action=drop comment="deny all other types"


This is for RouterOS, gives 8 different types (and description) of ICMP 
that you should allow then block the rest. Adjust for your own operating 
system.

Thanks,
Joe

On 20/05/14 14:03, Colin Stubbs wrote:
>
> ICMP is more than just echo requests and replies or "ping" as so many 
> think of it.
>
> If you're dropping unreachables and time exceeded error messages odds 
> are your network won't work at all, or the apps on top will perform 
> badly while experiencing intermittent problems.
>
> With respect to "ping" I would deny echo request from untrusted zones 
> to anywhere, deny echo reply to untrusted from anywhere, but allow 
> echo request from trusted to anywhere with echo reply from anywhere to 
> trusted.
>
> You could do something similar with ICMP traceroute if you want to. 
> UDP/TCP traceroute must be permitted by firewalls along with letting 
> the ICMP TTL exceeded and unreachables pass unhindered.
>
> Make sure you understand ICMP types and sub types before you go trying 
> to enforce any policy changes.
>
> http://en.m.wikipedia.org/wiki/Internet_Control_Message_Protocol
>
> Policy based on geographical source,  e.g. "i don't trust China and 
> have no need to communicate with Russia" is increasingly common in 
> enterprise... Not exactly feasible in service provider land.
>
> Sent from a mobile device. Correct spelling and accurate use of 
> grammar is unlikely to have occurred.
>
> On 20/05/2014 1:37 pm, "Alex Samad - Yieldbroker" 
> <Alex.Samad at yieldbroker.com <mailto:Alex.Samad at yieldbroker.com>> wrote:
>
>     Hi
>
>     Wondering what people do around
>     1) letting through icmp
>
>     I like the idea of allowing icmp through, make network diagnosis a
>     lot easier, but I don't want to be bomb.
>     What sort of rate limiting do people think is acceptable?
>     What's acceptable from client to confirm connectivity?
>
>
>     2) blacklisting ip's
>
>     So I have (like a lot of others),  people port scanning look for
>     open ports, what sort of levels do people actually do something
>     about it ?
>
>     I asking as an end user, but I am also curious to know what
>     providers do.
>
>     I have heard of companies blocking entire ranges, for example say
>     china and/or Russia as they have no clients there. Do people do
>     that, do ISP provide that service (can that be done through the
>     auto black hole mechanism ?)
>
>
>     Alex
>     _______________________________________________
>     AusNOG mailing list
>     AusNOG at lists.ausnog.net <mailto:AusNOG at lists.ausnog.net>
>     http://lists.ausnog.net/mailman/listinfo/ausnog
>
>
>
> _______________________________________________
> AusNOG mailing list
> AusNOG at lists.ausnog.net
> http://lists.ausnog.net/mailman/listinfo/ausnog

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.ausnog.net/pipermail/ausnog/attachments/20140520/cc963a34/attachment.html>


More information about the AusNOG mailing list