traceroute blocked

[calanon]

I am having problems allowing traceroute through my firewall. I used the following pf rule but when I look at the pflog0 log live traceroute seems to be using different ports:

Code:

pass log proto udp from $mgt to $dmzops port 33433 >< 33626

[jggimi]

What ports are being used? Per traceroute(8), if UDP is used for tracing the default base is 33434. The port number used will be (base port)+(number of hops)*(number of queries)-1.

[CiotBSD]

Even traceroute seems blocked, you can use options to obtain informations, as '-I' or '- P 1'.

Both options use ICMP Echoe message. The second not run with IPv6.
(In fact, it's necessary to pass ICMP messages ; which is highly suggestable)

[victorvas]

Quote:

Originally Posted by CiotBSD

...
(In fact, it's necessary to pass ICMP messages ; which is highly suggestable)

Our admin says ICMP is dangerous and can crash your OS. Is it really that bad?

[jggimi]

Your admin is repeating 35-40 year old advice. I recommend you both read Networking for Systems Administrators by Michael W Lucas.

https://www.amazon.com/Networking-Sy.../dp/B00STLTH74

[CiotBSD]

I agree with you @jggimi.

Yes, ICMP can be dangerous, only if you don't know use and protect correctly!
(search informations about SMURF, SlowLoris, DeathPing attacks)

It's important to filter ICMP trafic, drop few codes ICMP, return or drop the deprecated codes, and limit the rest.
RFC and Draft exist; read them!

- https://tools.ietf.org/html/draft-ie...p-filtering-04
- For ICMP : RFC 5927, 6633, 6918; and for ICMPv6 : RFC4890 (and, certainly others)

see: http://www.rfc-editor.org/info/RFCxyz ; where 'xyz' is number of RFC

And drop, return or limit with PF is more easy than Iptables.

----

If you or your admin read french articles, you can see my article on my oldier blog, about this:
- https://blog.stephane-huc.net/securi...-firewall-icmp
- https://blog.stephane-huc.net/securi...et-filter/icmp

----

Just for example, my rules PF, on my laptop, with drop policies by default, for ICMP and ICMPv6 are:

Code:

(…)
icmp_auth = "{ 8 11 12 }"
icmp_block = "{ 4 6 15 16 17 18 31 32 33 34 35 36 37 38 39 }"
(…)
icmp6_auth   = "{ unreach, toobig, timex code 0, timex code 1, paramprob code 1, paramprob code 2, echoreq, routeradv, neighbrsol, neighbradv }"
icmp6_block = "{ 100 101 127 138 139 140 144 145 146 147 150 200 201 }"
icmp6_in  = "{ redir }"
(…)
icmp_sto = "(max-src-conn-rate 10/1)"
(…)
block quick log on egress inet6 proto icmp6 icmp6-type $icmp6_block

block quick on egress inet proto icmp icmp-type 3 code 6
block in quick on egress inet proto icmp icmp-type 3 code 7
block quick on egress inet proto icmp icmp-type 3 code 8
block quick on egress inet proto icmp icmp-type $icmp_block
(….)
block all
pass out
(...)
pass quick log on egress inet6 proto icmp6 icmp6-type $icmp6_auth
pass in quick log on egress inet6 proto icmp6 icmp6-type $icmp6_in
(…)
pass in quick on egress inet proto icmp from any to egress icmp-type 3 code 3    $icmp_sto
pass in quick on egress inet proto icmp from any to egress icmp-type $icmp_auth $icmp_sto

pass out quick on egress inet proto icmp from egress to any icmp-type 3 code 3   $icmp_sto
pass out quick on egress inet proto icmp from egress to any icmp-type $icmp_auth $icmp_sto
(…)

pass out quick on egress inet proto icmp from egress to any icmp-type $icmp_auth $icmp_sto

(…)
# this rule for traceroute; if not run, it's not grave, because using with option '-I' run correctly.
pass out on egress proto udp from any to any port 33433 >< 33626

[jggimi]

For clarity, allow me to quote a little bit from Networking for Systems Administrators:

Quote:

ICMP handles low-level connectivity messages between hosts. Every host that implements IP must also support ICMP. While ping requests are the most commonly known type of ICMP traffic, many core Internet functions rely on ICMP. If a datalink-layer message (a frame) is too large, the complaint passes over ICMP. ICMP is where hosts respond to ping requests and tell traffic to go around the other way. Unilaterally blocking all ICMP is a good way to break applications.* Most of the time, ICMP runs silently in the background

Quote:

Reducing MTU size below the standard can even break web browsing, especially if ICMP is also blocked. (ICMP is used to exchange MTU errors along a connection path.)

Quote:

Some multi-tier networks have multiple routers in certain broadcast domains. Normally the main router sends an ICMP redirect message when the client tries to reach a host behind a secondary router, telling the client to go to the secondary router for that host....Sometimes ICMP redirects don’t work and you must configure static routes on your hosts. This is often because the network administrator has filtered ICMP redirects in compliance with the “all ICMP is dangerous and must be stopped” myth.

And of course, from the top footnote:

Quote:

* Yes, some network administrators unconditionally block all ICMP from entering or leaving their network. They are almost always wrong.