Allowing ICMP Traffic

It is all well and good having a secure firewall, but you still need to be able to receive ICMP traffic so that your users, you, and other Internet users are aware if there is a problem.

Internet Control Message Protocol (ICMP) is integral to the working of the Internet. ICMP is used to send status and error messages about the state of the network to interested parties. For example, when you ping a machine, the ping packet and its echo are sent over ICMP. If you cannot access a machine because its network connectivity is not working, you are told this over ICMP, which your application interprets as meaning that the destination is unreachable, and you are likely to see the message "Destination Unreachable."

One traditional cracker attempt to subvert your network is to issue an ICMP redirect message. This tells a server that a route is unavailable and traffic for that destination should be routed through another destination.

As a minimum, you should allow destination unreachable, source quench (when you need to send smaller packets), and Time to Live (TTL) errors, which is when the packet has traveled through too many routers without reaching its destination. It is up to you if you want to allow ping requests or not. Traditionally, you do not enable these as it gives malicious users another tool during initial investigation for an attack.

To allow these types of ICMP traffic, you need to allow inbound ICMP and some outbound ICMP packets:

bible:~# iptables -I INPUT -p icmp --icmp-type destination-unreachable -j ACCEPT

bible:~# iptables -I INPUT -p icmp --icmp-type source-quench -j ACCEPT bible:~# iptables -I INPUT -p icmp --icmp-type time-exceeded -j ACCEPT

For each ICMP protocol type you have allowed, you are accepting incoming (that is, destined for the firewall) ICMP traffic that reports destination unreachable, source quench, and TTL exceeded.

Was this article helpful?

0 0

Post a comment