Cenzic 232 Patent
Paid Advertising
sla.ckers.org is
ha.ckers sla.cking
Sla.ckers.org
This group should mostly be dealing with how web applications enable networking security issues that are otherwise not there. Everything is being tunneled over port 80 now so what does that enable and how do we fix it? 
Go to Topic: PreviousNext
Go to: Forum ListMessage ListNew TopicSearchLog In
ICMP Traffic Handling Via Firewall
Date: June 06, 2008 12:27AM

Currently I have any ICMP packet blocked for incoming and outgoing. I see numerous attempts for outgoing to my router and DNS servers. Should I allow these for better network performance, am I being too paranoid?

I read this awhile back this http://securitylabs.websense.com/content/Alerts/1178.aspx and am wary of allowing any outgoing. Is it safe to assume it is ok for me to allow outgoing ICMP to the router and DNS server IPs? If so what types should be allowed?

Options: ReplyQuote
Re: ICMP Traffic Handling Via Firewall
Posted by: thrill
Date: June 06, 2008 03:16PM

Damn, I read this very early this morning and was going to reply, but got busy at work.

Anyway, ICMP is a great troubleshooting protocol, so allowing echo out, and echo-reply in should be allowed, unless of course you're paraniod like id.

If you do want to lock it down even further though, yes, allowing echo to both your DNS server and upstream router should be allowed, and then deny any other.

Blocking ICMP based on that posting is wrong. The fact that the trojan used ICMP to transmit the data doesn't mean someone else isn't going to create one to encrypt the data on your system, and then transmit that using udp/tcp, at which point you would have to block all ip traffic. :)

--thrill

---

It is not the degrees you hold, but the mind you possess. - thrill

Options: ReplyQuote
Re: ICMP Traffic Handling Via Firewall
Posted by: id
Date: June 07, 2008 10:14AM

I would figure out what software is generating the packets, then determine if you want to let it out or not.

-id

Options: ReplyQuote
Re: ICMP Traffic Handling Via Firewall
Date: June 07, 2008 12:29PM

This is on XP Pro and its svchost.exe sending the packets to the DNS servers and router, which i would assume safe since it the same process according to firewall connecting to router for DHCP.

The other process that is showing up in the logs is 'Windows Operating System' as to what is causing that I don't know. svchost.exe is not showing up anymore in the blocked logs for ICMP. This is Comodo Firewall 3 btw.

UPDATE: I figured out why it was still being blocked, the rule order was wrong, it was blocking all ICMPs except svchost's. Thanks for the info btw guys.



Edited 1 time(s). Last edit at 06/07/2008 12:36PM by CrYpTiC_MauleR.

Options: ReplyQuote
Re: ICMP Traffic Handling Via Firewall
Posted by: windexh8er
Date: June 23, 2008 09:53AM

ICMP has many facets so you're going to want to be selective. The first thing to consider is PMTUD (Path MTU Discover) -- which is a good thing, if ICMP is in the clear for the entirety of the network traversal. If you want to allow PMTUD you're going to want to allow ICMP type 3 in and out. Don't worry -- it's not evil. The next to consider is source quench (type 8). It basically tells your upstream hop to slow down if needed. So you're going to want to let those out. Next we have the generic ICMP "ping". We want to be able to ping out and get the reply, but we don't want to let others ping us. Easy... Just allow ICMP type 8 out and type 0 back in. Lastly we want traceroutes to work (obviously not all traces use ICMP by default -- the real ute uses UDP). So to do that all you really need to do is let type 11 back in.

Here's an IPFW example if you need one for all your ICMP needs:
00010 allow icmp from any to any icmptypes 3
00011 allow icmp from any to any icmptypes 4
00012 allow icmp from any to any icmptypes 8 out
00013 allow icmp from any to any icmptypes 0 in
00014 allow icmp from any to any icmptypes 11 in

--windexh8er

Options: ReplyQuote
Re: ICMP Traffic Handling Via Firewall
Date: June 23, 2008 01:21PM

Thanks windexh8er! Will set this up as advised.

Options: ReplyQuote
Re: ICMP Traffic Handling Via Firewall
Posted by: id
Date: June 23, 2008 02:32PM

then run tcpdump to watch my icmp-echo-reply trojan work its magic through your firewall!

Seriously though, none of those rules should be needed with a modern firewall as the firewall should keep state on everything including ICMP error messages from UDP and TCP packets.

for example, a lax pf ruleset might say:

pass out proto tcp all flags S/SA keep state

if there is a ICMP host unreachable returned (type 3 code 1) from a firewall as a result of connecting to a host that isn't there, the error packet will be passed back to the source machine through the firewall. (this is just an example, it keeps state for other errors in response to valid TCP or UDP streams as well)

Similarly with ping:

pass out inet proto icmp all icmp-type echoreq keep state

random echo-reply's (type 0) will be dropped, but an echo-reply in response to a echo-request sourced from inside the firewall will be passed.

-id

Options: ReplyQuote
Re: ICMP Traffic Handling Via Firewall
Posted by: thrill
Date: June 23, 2008 02:57PM

I don't have any samples for my Lantastic firewall because it doesn't use ICMP.

--thrill

---

It is not the degrees you hold, but the mind you possess. - thrill

Options: ReplyQuote
Re: ICMP Traffic Handling Via Firewall
Date: June 23, 2008 04:24PM

Ok so what am I do to then? So far I haven't had any connectivity issues blocking all ICMP traffic, but I do notice the log filling up with blocked ICMP packets when using a torrent client. The types are 3 and 11 so should I allow those types incoming and block all outgoing? I'm not worried much about DoS attacks and such, but more worried about data leaving.

Options: ReplyQuote
Re: ICMP Traffic Handling Via Firewall
Posted by: windexh8er
Date: June 23, 2008 04:25PM

True, they may not be needed... But if you actually want to know what you need and what you don't then you're going to want to get down to the type of ICMP you let in or out. Plus, at this level of ACL you can log at individual lines... It doesn't help someone to just tell them "let the firewall manage this" when they might not understand the different ICMP types to begin with...

Sure -- most firewalls may keep state. But, it's something that can break and/or be circumvented as well.

--windexh8er

Options: ReplyQuote
Re: ICMP Traffic Handling Via Firewall
Posted by: id
Date: June 23, 2008 05:07PM

My point was those rules make you less secure, the firewall keeps state to keep you more secure and should be used properly.

I don't know the specifics of the Linux firewall, I would be surprised if it didn't have this functionality however.

-id

Options: ReplyQuote
Re: ICMP Traffic Handling Via Firewall
Posted by: MAdhaTTer-240
Date: July 09, 2008 10:15AM

See, this is why we should team up. With your (assumed) understanding of Web Application, and my understanding of Network/Host Security we could make a powerful (successful) team...

By the way, any statefull iptables will allow ICMP related errors. If my memory serves me, its the RELATED state that would let them pass... ie...

iptables -P INPUT/FORWARD/OUTPUT DROP
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A OUTPUT -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT

you would wanna add rules to log crap too.. but that is if you were using something as awesome and powerful iptables..

Oh yeah, I must say I am a bit concerned after reading this thread... If you are afraid of data leakage, you should look into filtering the size of icmp packets you allow out :O



Edited 2 time(s). Last edit at 07/09/2008 01:18PM by MAdhaTTer-240.

Options: ReplyQuote
Re: ICMP Traffic Handling Via Firewall
Posted by: MAdhaTTer-240
Date: July 09, 2008 10:25AM

if you want to learn/understand read the RFC.
http://www.ietf.org/rfc/rfc0792.txt

icmp-parameters, is also a good file to read
http://www.iana.org/assignments/icmp-parameters

Those "Linux Firewall" details are above id. ;)

Options: ReplyQuote
Re: ICMP Traffic Handling Via Firewall
Posted by: id
Date: July 09, 2008 11:46AM

I can't be bothered with details of inferior things!

-id

Options: ReplyQuote


Sorry, only registered users may post in this forum.