View Single Post
  #6   (View Single Post)  
Old 8th December 2019
CiotBSD CiotBSD is offline
c107:b5d::
 
Join Date: Jun 2019
Location: Under /
Posts: 67
Default

I agree with you @jggimi.

Yes, ICMP can be dangerous, only if you don't know use and protect correctly!
(search informations about SMURF, SlowLoris, DeathPing attacks)

It's important to filter ICMP trafic, drop few codes ICMP, return or drop the deprecated codes, and limit the rest.
RFC and Draft exist; read them!

- https://tools.ietf.org/html/draft-ie...p-filtering-04
- For ICMP : RFC 5927, 6633, 6918; and for ICMPv6 : RFC4890 (and, certainly others)

see: http://www.rfc-editor.org/info/RFCxyz ; where 'xyz' is number of RFC

And drop, return or limit with PF is more easy than Iptables.

----

If you or your admin read french articles, you can see my article on my oldier blog, about this:
- https://blog.stephane-huc.net/securi...-firewall-icmp
- https://blog.stephane-huc.net/securi...et-filter/icmp

----

Just for example, my rules PF, on my laptop, with drop policies by default, for ICMP and ICMPv6 are:

Code:
(…)
icmp_auth = "{ 8 11 12 }"
icmp_block = "{ 4 6 15 16 17 18 31 32 33 34 35 36 37 38 39 }"
(…)
icmp6_auth   = "{ unreach, toobig, timex code 0, timex code 1, paramprob code 1, paramprob code 2, echoreq, routeradv, neighbrsol, neighbradv }"
icmp6_block = "{ 100 101 127 138 139 140 144 145 146 147 150 200 201 }"
icmp6_in  = "{ redir }"
(…)
icmp_sto = "(max-src-conn-rate 10/1)"
(…)
block quick log on egress inet6 proto icmp6 icmp6-type $icmp6_block

block quick on egress inet proto icmp icmp-type 3 code 6
block in quick on egress inet proto icmp icmp-type 3 code 7
block quick on egress inet proto icmp icmp-type 3 code 8
block quick on egress inet proto icmp icmp-type $icmp_block
(….)
block all
pass out
(...)
pass quick log on egress inet6 proto icmp6 icmp6-type $icmp6_auth
pass in quick log on egress inet6 proto icmp6 icmp6-type $icmp6_in
(…)
pass in quick on egress inet proto icmp from any to egress icmp-type 3 code 3    $icmp_sto
pass in quick on egress inet proto icmp from any to egress icmp-type $icmp_auth $icmp_sto

pass out quick on egress inet proto icmp from egress to any icmp-type 3 code 3   $icmp_sto
pass out quick on egress inet proto icmp from egress to any icmp-type $icmp_auth $icmp_sto
(…)

pass out quick on egress inet proto icmp from egress to any icmp-type $icmp_auth $icmp_sto

(…)
# this rule for traceroute; if not run, it's not grave, because using with option '-I' run correctly.
pass out on egress proto udp from any to any port 33433 >< 33626

Last edited by CiotBSD; 8th December 2019 at 06:35 PM. Reason: add infos about ICMP attacks
Reply With Quote