[prev in list] [next in list] [prev in thread] [next in thread] 

List:       ipfilter
Subject:    Re: Handling ICMP packets
From:       kwooding () codetalker ! com
Date:       1999-11-28 19:13:15
[Download RAW message or body]


>The IP Filter how-to seems content filtering ICMP by keeping state,
>however most firewall setups I've seen go into more detail. Is
>filtering by keeping state sufficient or should I be more anal like my
>gut is telling me to do and filter specific ICMP types?

Typically, I do something like the following:
(rules are often duplicated to allow traffic to and from both
the firewall and the screened network)

# ICMP Rules
# fxp1 = evil, fxp0 = good

# Echo (ping) - Allowed outbound
pass out quick proto icmp from any to any icmp-type echo
pass in quick on fxp0 proto icmp from any to any icmp-type echo

pass in quick proto icmp from any to any icmp-type echorep
pass out quick on fxp0 proto icmp from any to any icmp-type echorep

# Destination unreachable - Allowed in for error recovery
pass in quick on fxp1 proto icmp from any to any icmp-type unreach
pass out quick on fxp0 proto icmp from any to any icmp-type unreach

# Source Quench. Can be legit. Allow in both directions, but log
pass in log quick proto icmp from any to any icmp-type squench
pass out log quick proto icmp from any to any icmp-type squench

# Time Exceeded - Allow In for traceroute replies and errors. Allow
#                 fragment reply out for error recovery
pass in quick on fxp1 proto icmp from any to any icmp-type timex
pass out quick on fxp0 proto icmp from any to any icmp-type timex
pass out quick on fxp1 proto icmp from any to any icmp-type timex code 1
pass in quick on fxp0 proto icmp from any to any icmp-type timex code 1

# Parameter Problem - Allow both ways for error recovery
pass in quick proto icmp from any to any icmp-type paramprob
pass out quick proto icmp from any to any icmp-type paramprob

# Experimental Traceroute ICMP reply. Allow in
pass in quick on fxp1 proto icmp from any to any icmp-type 30
pass out quick on fxp1 proto icmp from any to any icmp-type 30

# Block all others
block in log quick proto icmp from any to any
block out log quick proto icmp from any to any

-kj

[prev in list] [next in list] [prev in thread] [next in thread]