Re: ICMP

From: Martti Laakso (marvin@nic.fi)
Date: 05/31/02 

From: Martti Laakso <marvin@nic.fi>
Date: Fri, 31 May 2002 02:26:47 +0300

Hello again!

Thank you both for your answers. After reading a bunch of documents (again)
I was pleasantly suprised how politely you answered my newbie, misguided
questions. :)
Got it filtering now properly...

I read somewhere type 11 could be used to scan the computers on the
internal network, so thats why i thought it would be a good idea.
I still can traceroute from the firewall machine so that shouldn't
be a problem.

What other things would be a good idea to block?
Could anyone recomend a program with which it would be easy to test
thease scripts for obvious security holes?

-Martti

Eirik Seim wrote:
> On Sat, 18 May 2002 16:19:18 +0300, Martti Laakso wrote:
>
>> Hi!
>>
>> Thought this group might shed some light on this subject.
>> I recently setup a iptable nat system on my linux box, with a firewall
>> script from:
>>
>> http://www.e-infomax.com/ipmasq/howto/examples/rc.firewall-2.4-stronger
>>
>> I added below the dropchain section the line:
>>
>> REJECT_ICMP="11 13 14 15 16"
>>
>> Still in the internal network one of the windows machines with zone alarm
>> reported:
>>
>> FWIN,2002/05/16,16:24:04 +3:00 GMT,193.229.33.1:0,192.168.1.15:0,ICMP
>> (type:11/subtype:0)
>>
>> so why isn't the firewall rejecting all 11 (time-exceeded/ttl-exceeded)
>> icmp packets? And why/is it trying port 0?
>
>
> The other poster might be correct about the fact that you dont have a reject
> rule for this. As for your other question, there is nothing called 'port'
> when it comes to ICMP. You have ICMP "type" and "code". The sample from
> your log you've provided here is a ICMP type 11 code 0: "time exceeded,
> TTL equals 0 during transit", as opposed to "..during reassembly", which
> would be a type 11 code 1.
>
> If you refered to the ":0" part, I guess this is how your firewall says
> "no port".
>
> That said, I dont understand why you want to filter type 11, as this is
> useful for traceroutes. If you never need to trace a route, then go
> ahead. But if filtering for security, I'd worry more about type 5 and 9.
>
>
> - Eirik

Relevant Pages

  • Re: ICMP
    ... Eirik Seim wrote: ... > The other poster might be correct about the fact that you dont have a reject ... there is nothing called 'port' ... But if filtering for security, I'd worry more about type 5 and 9. ...
    (comp.security.firewalls)
  • RE: TCP/IP Filtering problem on W2KAS
    ... These are definitely legitimate security concerns of the Win2K ... I have employed this technique to bypass IPSec port ... Port filtering with IPSec leaves you vulnerable because only the source port ...
    (Focus-Microsoft)
  • Re: Win2K TCP/IP filtering and security
    ... NetBIOS port 137. ... Second, by filtering on the interface instead of using RRAS, you do not have ... > I have just rolled out my Win2K server, with a setup that was based ...
    (Focus-Microsoft)
  • Re: firewall with parental control filtering needed for usenet, p2p and web
    ... You can set up content filtering on any port. ... control the upload and download speed for the entire lan all at once ... Content filtering to filter adult content on web sites and via nntp ...
    (comp.security.firewalls)
  • Re: Inbound email problem
    ... Could it be that Qwest is blocking port 25 traffic? ... Can you telnet into your exchange server? ... Do you have exchange server antispam or connection filtering enabled? ...
    (microsoft.public.windows.server.sbs)
Quantcast