[AusNOG] network security Question
Tim March
march.tim at gmail.com
Tue May 20 16:47:44 EST 2014
This is a reasonable approach.
I normally do something like this...
--- BEGIN PASTE ---
remark --- deny unroutable networks ---
deny ip 0.0.0.0 0.255.255.255 any
deny ip 127.0.0.0 0.255.255.255 any
deny ip 169.254.0.0 0.0.255.255 any
deny ip 192.0.2.0 0.0.0.255 any
deny ip 224.0.0.0 15.255.255.255 any
deny ip 240.0.0.0 7.255.255.255 any
deny ip 248.0.0.0 7.255.255.255 any
deny ip host 255.255.255.255 any
deny ip 10.0.0.0 0.255.255.255 any
deny ip 172.16.0.0 0.15.255.255 any
deny ip 192.168.0.0 0.0.255.255 any
remark --- permit link control and utility traffic ---
permit icmp any any echo
permit icmp any any echo-reply
permit icmp any any host-unknown
permit icmp any any time-exceeded
permit icmp any any traceroute
permit icmp any any unreachable
permit tcp any any established
--- END PATE ---
IMO arbitrarily filtering all ICMP serves more to give legitimate actors
the sh!ts than it does preventing actions from malicious ones. Anyone
port-scanning or mapping your network is probably doing it with SYN
anyway, so it's largely pointless.
With regards to arbitrarily blocking whole country netblocks; sure, some
people do it. Having your IDS/IPS temporarily block trouble addresses is
probably a better solution if you want to go down that path, though.
2c
T.
On 20/05/14 3:45 PM, Joseph Goldman wrote:
> Funnily enough, I am preparing some routers for production and
> configuring firewalls for this very reason, so have recently found a
> list ready for ICMP blocking:
>
> add chain=icmp protocol=icmp icmp-options=0:0 action=accept \
> comment="echo reply"
> add chain=icmp protocol=icmp icmp-options=3:0 action=accept \
> comment="net unreachable"
> add chain=icmp protocol=icmp icmp-options=3:1 action=accept \
> comment="host unreachable"
> add chain=icmp protocol=icmp icmp-options=3:4 action=accept \
> comment="host unreachable fragmentation required"
> add chain=icmp protocol=icmp icmp-options=4:0 action=accept \
> comment="allow source quench"
> add chain=icmp protocol=icmp icmp-options=8:0 action=accept \
> comment="allow echo request"
> add chain=icmp protocol=icmp icmp-options=11:0 action=accept \
> comment="allow time exceed"
> add chain=icmp protocol=icmp icmp-options=12:0 action=accept \
> comment="allow parameter bad"
> add chain=icmp action=drop comment="deny all other types"
>
>
> This is for RouterOS, gives 8 different types (and description) of ICMP
> that you should allow then block the rest. Adjust for your own operating
> system.
>
> Thanks,
> Joe
>
> On 20/05/14 14:03, Colin Stubbs wrote:
>>
>> ICMP is more than just echo requests and replies or "ping" as so many
>> think of it.
>>
>> If you're dropping unreachables and time exceeded error messages odds
>> are your network won't work at all, or the apps on top will perform
>> badly while experiencing intermittent problems.
>>
>> With respect to "ping" I would deny echo request from untrusted zones
>> to anywhere, deny echo reply to untrusted from anywhere, but allow
>> echo request from trusted to anywhere with echo reply from anywhere to
>> trusted.
>>
>> You could do something similar with ICMP traceroute if you want to.
>> UDP/TCP traceroute must be permitted by firewalls along with letting
>> the ICMP TTL exceeded and unreachables pass unhindered.
>>
>> Make sure you understand ICMP types and sub types before you go trying
>> to enforce any policy changes.
>>
>> http://en.m.wikipedia.org/wiki/Internet_Control_Message_Protocol
>>
>> Policy based on geographical source, e.g. "i don't trust China and
>> have no need to communicate with Russia" is increasingly common in
>> enterprise... Not exactly feasible in service provider land.
>>
>> Sent from a mobile device. Correct spelling and accurate use of
>> grammar is unlikely to have occurred.
>>
>> On 20/05/2014 1:37 pm, "Alex Samad - Yieldbroker"
>> <Alex.Samad at yieldbroker.com <mailto:Alex.Samad at yieldbroker.com>> wrote:
>>
>> Hi
>>
>> Wondering what people do around
>> 1) letting through icmp
>>
>> I like the idea of allowing icmp through, make network diagnosis a
>> lot easier, but I don't want to be bomb.
>> What sort of rate limiting do people think is acceptable?
>> What's acceptable from client to confirm connectivity?
>>
>>
>> 2) blacklisting ip's
>>
>> So I have (like a lot of others), people port scanning look for
>> open ports, what sort of levels do people actually do something
>> about it ?
>>
>> I asking as an end user, but I am also curious to know what
>> providers do.
>>
>> I have heard of companies blocking entire ranges, for example say
>> china and/or Russia as they have no clients there. Do people do
>> that, do ISP provide that service (can that be done through the
>> auto black hole mechanism ?)
>>
>>
>> Alex
>> _______________________________________________
>> AusNOG mailing list
>> AusNOG at lists.ausnog.net <mailto:AusNOG at lists.ausnog.net>
>> http://lists.ausnog.net/mailman/listinfo/ausnog
>>
>>
>>
>> _______________________________________________
>> AusNOG mailing list
>> AusNOG at lists.ausnog.net
>> http://lists.ausnog.net/mailman/listinfo/ausnog
>
>
>
> _______________________________________________
> AusNOG mailing list
> AusNOG at lists.ausnog.net
> http://lists.ausnog.net/mailman/listinfo/ausnog
>
PGP/GNUPG Public Key: http://d3vnu11.com/pub.key
More information about the AusNOG
mailing list