DaemonForums  

Go Back   DaemonForums > OpenBSD > OpenBSD Security

OpenBSD Security Functionally paranoid!

Reply
 
Thread Tools Display Modes
  #1   (View Single Post)  
Old 6th November 2019
calanon calanon is offline
Port Guard
 
Join Date: Jul 2019
Posts: 38
Default traceroute blocked

I am having problems allowing traceroute through my firewall. I used the following pf rule but when I look at the pflog0 log live traceroute seems to be using different ports:

Code:
pass log proto udp from $mgt to $dmzops port 33433 >< 33626
Reply With Quote
  #2   (View Single Post)  
Old 6th November 2019
jggimi's Avatar
jggimi jggimi is offline
More noise than signal
 
Join Date: May 2008
Location: USA
Posts: 7,977
Default

What ports are being used? Per traceroute(8), if UDP is used for tracing the default base is 33434. The port number used will be (base port)+(number of hops)*(number of queries)-1.

Last edited by jggimi; 6th November 2019 at 02:14 PM. Reason: typo
Reply With Quote
  #3   (View Single Post)  
Old 7th November 2019
CiotBSD CiotBSD is offline
c107:b5d::
 
Join Date: Jun 2019
Location: Under /
Posts: 175
Default

Even traceroute seems blocked, you can use options to obtain informations, as '-I' or '- P 1'.

Both options use ICMP Echoe message. The second not run with IPv6.
(In fact, it's necessary to pass ICMP messages ; which is highly suggestable)
Reply With Quote
  #4   (View Single Post)  
Old 2nd December 2019
victorvas victorvas is offline
Real Name: Victor
Linux
 
Join Date: May 2019
Posts: 148
Default

Quote:
Originally Posted by CiotBSD View Post
...
(In fact, it's necessary to pass ICMP messages ; which is highly suggestable)
Our admin says ICMP is dangerous and can crash your OS. Is it really that bad?
Reply With Quote
  #5   (View Single Post)  
Old 2nd December 2019
jggimi's Avatar
jggimi jggimi is offline
More noise than signal
 
Join Date: May 2008
Location: USA
Posts: 7,977
Default

Your admin is repeating 35-40 year old advice. I recommend you both read Networking for Systems Administrators by Michael W Lucas.

https://www.amazon.com/Networking-Sy.../dp/B00STLTH74
Reply With Quote
  #6   (View Single Post)  
Old 8th December 2019
CiotBSD CiotBSD is offline
c107:b5d::
 
Join Date: Jun 2019
Location: Under /
Posts: 175
Default

I agree with you @jggimi.

Yes, ICMP can be dangerous, only if you don't know use and protect correctly!
(search informations about SMURF, SlowLoris, DeathPing attacks)

It's important to filter ICMP trafic, drop few codes ICMP, return or drop the deprecated codes, and limit the rest.
RFC and Draft exist; read them!

- https://tools.ietf.org/html/draft-ie...p-filtering-04
- For ICMP : RFC 5927, 6633, 6918; and for ICMPv6 : RFC4890 (and, certainly others)

see: http://www.rfc-editor.org/info/RFCxyz ; where 'xyz' is number of RFC

And drop, return or limit with PF is more easy than Iptables.

----

If you or your admin read french articles, you can see my article on my oldier blog, about this:
- https://blog.stephane-huc.net/securi...-firewall-icmp
- https://blog.stephane-huc.net/securi...et-filter/icmp

----

Just for example, my rules PF, on my laptop, with drop policies by default, for ICMP and ICMPv6 are:

Code:
(…)
icmp_auth = "{ 8 11 12 }"
icmp_block = "{ 4 6 15 16 17 18 31 32 33 34 35 36 37 38 39 }"
(…)
icmp6_auth   = "{ unreach, toobig, timex code 0, timex code 1, paramprob code 1, paramprob code 2, echoreq, routeradv, neighbrsol, neighbradv }"
icmp6_block = "{ 100 101 127 138 139 140 144 145 146 147 150 200 201 }"
icmp6_in  = "{ redir }"
(…)
icmp_sto = "(max-src-conn-rate 10/1)"
(…)
block quick log on egress inet6 proto icmp6 icmp6-type $icmp6_block

block quick on egress inet proto icmp icmp-type 3 code 6
block in quick on egress inet proto icmp icmp-type 3 code 7
block quick on egress inet proto icmp icmp-type 3 code 8
block quick on egress inet proto icmp icmp-type $icmp_block
(….)
block all
pass out
(...)
pass quick log on egress inet6 proto icmp6 icmp6-type $icmp6_auth
pass in quick log on egress inet6 proto icmp6 icmp6-type $icmp6_in
(…)
pass in quick on egress inet proto icmp from any to egress icmp-type 3 code 3    $icmp_sto
pass in quick on egress inet proto icmp from any to egress icmp-type $icmp_auth $icmp_sto

pass out quick on egress inet proto icmp from egress to any icmp-type 3 code 3   $icmp_sto
pass out quick on egress inet proto icmp from egress to any icmp-type $icmp_auth $icmp_sto
(…)

pass out quick on egress inet proto icmp from egress to any icmp-type $icmp_auth $icmp_sto

(…)
# this rule for traceroute; if not run, it's not grave, because using with option '-I' run correctly.
pass out on egress proto udp from any to any port 33433 >< 33626

Last edited by CiotBSD; 8th December 2019 at 06:35 PM. Reason: add infos about ICMP attacks
Reply With Quote
  #7   (View Single Post)  
Old 8th December 2019
jggimi's Avatar
jggimi jggimi is offline
More noise than signal
 
Join Date: May 2008
Location: USA
Posts: 7,977
Default

For clarity, allow me to quote a little bit from Networking for Systems Administrators:
Quote:
ICMP handles low-level connectivity messages between hosts. Every host that implements IP must also support ICMP. While ping requests are the most commonly known type of ICMP traffic, many core Internet functions rely on ICMP. If a datalink-layer message (a frame) is too large, the complaint passes over ICMP. ICMP is where hosts respond to ping requests and tell traffic to go around the other way. Unilaterally blocking all ICMP is a good way to break applications.* Most of the time, ICMP runs silently in the background
Quote:
Reducing MTU size below the standard can even break web browsing, especially if ICMP is also blocked. (ICMP is used to exchange MTU errors along a connection path.)
Quote:
Some multi-tier networks have multiple routers in certain broadcast domains. Normally the main router sends an ICMP redirect message when the client tries to reach a host behind a secondary router, telling the client to go to the secondary router for that host....Sometimes ICMP redirects don’t work and you must configure static routes on your hosts. This is often because the network administrator has filtered ICMP redirects in compliance with the “all ICMP is dangerous and must be stopped” myth.
And of course, from the top footnote:
Quote:
* Yes, some network administrators unconditionally block all ICMP from entering or leaving their network. They are almost always wrong.
Reply With Quote
Reply

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
UDP protocol failed, as well as IPv6. pkgsrc blocked because of ths(IMHO) spermwhale_warrior NetBSD General 5 27th August 2014 09:36 PM
SSH is being blocked from WAN however public IP shown in server log sparky OpenBSD Security 3 29th October 2012 01:29 PM
OpenBSD 4.7 pf and traceroute fbroce OpenBSD Security 5 13th September 2010 09:32 PM


All times are GMT. The time now is 06:43 AM.


Powered by vBulletin® Version 3.8.4
Copyright ©2000 - 2024, Jelsoft Enterprises Ltd.
Content copyright © 2007-2010, the authors
Daemon image copyright ©1988, Marshall Kirk McKusick