[AusNOG] network security Question
Joseph Goldman
joe at apcs.com.au
Tue May 20 15:45:41 EST 2014
Funnily enough, I am preparing some routers for production and
configuring firewalls for this very reason, so have recently found a
list ready for ICMP blocking:
add chain=icmp protocol=icmp icmp-options=0:0 action=accept \
comment="echo reply"
add chain=icmp protocol=icmp icmp-options=3:0 action=accept \
comment="net unreachable"
add chain=icmp protocol=icmp icmp-options=3:1 action=accept \
comment="host unreachable"
add chain=icmp protocol=icmp icmp-options=3:4 action=accept \
comment="host unreachable fragmentation required"
add chain=icmp protocol=icmp icmp-options=4:0 action=accept \
comment="allow source quench"
add chain=icmp protocol=icmp icmp-options=8:0 action=accept \
comment="allow echo request"
add chain=icmp protocol=icmp icmp-options=11:0 action=accept \
comment="allow time exceed"
add chain=icmp protocol=icmp icmp-options=12:0 action=accept \
comment="allow parameter bad"
add chain=icmp action=drop comment="deny all other types"
This is for RouterOS, gives 8 different types (and description) of ICMP
that you should allow then block the rest. Adjust for your own operating
system.
Thanks,
Joe
On 20/05/14 14:03, Colin Stubbs wrote:
>
> ICMP is more than just echo requests and replies or "ping" as so many
> think of it.
>
> If you're dropping unreachables and time exceeded error messages odds
> are your network won't work at all, or the apps on top will perform
> badly while experiencing intermittent problems.
>
> With respect to "ping" I would deny echo request from untrusted zones
> to anywhere, deny echo reply to untrusted from anywhere, but allow
> echo request from trusted to anywhere with echo reply from anywhere to
> trusted.
>
> You could do something similar with ICMP traceroute if you want to.
> UDP/TCP traceroute must be permitted by firewalls along with letting
> the ICMP TTL exceeded and unreachables pass unhindered.
>
> Make sure you understand ICMP types and sub types before you go trying
> to enforce any policy changes.
>
> http://en.m.wikipedia.org/wiki/Internet_Control_Message_Protocol
>
> Policy based on geographical source, e.g. "i don't trust China and
> have no need to communicate with Russia" is increasingly common in
> enterprise... Not exactly feasible in service provider land.
>
> Sent from a mobile device. Correct spelling and accurate use of
> grammar is unlikely to have occurred.
>
> On 20/05/2014 1:37 pm, "Alex Samad - Yieldbroker"
> <Alex.Samad at yieldbroker.com <mailto:Alex.Samad at yieldbroker.com>> wrote:
>
> Hi
>
> Wondering what people do around
> 1) letting through icmp
>
> I like the idea of allowing icmp through, make network diagnosis a
> lot easier, but I don't want to be bomb.
> What sort of rate limiting do people think is acceptable?
> What's acceptable from client to confirm connectivity?
>
>
> 2) blacklisting ip's
>
> So I have (like a lot of others), people port scanning look for
> open ports, what sort of levels do people actually do something
> about it ?
>
> I asking as an end user, but I am also curious to know what
> providers do.
>
> I have heard of companies blocking entire ranges, for example say
> china and/or Russia as they have no clients there. Do people do
> that, do ISP provide that service (can that be done through the
> auto black hole mechanism ?)
>
>
> Alex
> _______________________________________________
> AusNOG mailing list
> AusNOG at lists.ausnog.net <mailto:AusNOG at lists.ausnog.net>
> http://lists.ausnog.net/mailman/listinfo/ausnog
>
>
>
> _______________________________________________
> AusNOG mailing list
> AusNOG at lists.ausnog.net
> http://lists.ausnog.net/mailman/listinfo/ausnog
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.ausnog.net/pipermail/ausnog/attachments/20140520/cc963a34/attachment.html>
More information about the AusNOG
mailing list