Re: Blocked incoming ICMP, getting outgoing ICMP [3] Destination Unreachable

On Sat, 25 Feb 2006, in the Usenet newsgroup comp.security.firewalls, in article
<dtov45$48d$1@xxxxxxxxxxxxx>, Dubious Dude wrote:

I have a rule in Kerio Personal firewall to block incoming ICMP [8]
(Echo Request)

Whatever

and [30] Traceroute.

Wrong. ICMP Type 30 was an experimental protocol - see RFC1393. If you
are trying to block windoze imitation version of traceroute, your block of
ICMP type 8 already does so. The real LBL traceroute uses UDP, defaulting
to ports 33434 and above. There is also a TCP version of traceroute which
defaults to probing port 80.

I am still getting outgoing ICMP [3] Destination Unreachable. Doesn't [3]
need an incoming ICMP to provoke it?

See RFC0792 - specifically the last paragraph on page 1. Then grab a copy
of RFC1122 and 1180, and learn how networking operates. BRIEFLY, when a
remote host tries to connect to a port that has no server running, the
network stack (part of the operating system kernel) will either return a
ACK/RST TCP packet (see my reply in the thread "Please help me interpret
a suspicious netstat SYN_SENT TCP port 1058 ?") which says "I heard you,
but go away", or it returns an ICMP Type 3 Code 3 error which says
"Nobody here at that port". Either one ends the conversation.

If you think that not responding to any Internet traffic is the way to
go (Gibson's so-called "stealth mode"), you really need to look at the
concept of traceroute again, to see why such action is a waste of your
bandwidth.

Old guy
.

Relevant Pages

  • Fixed Dest Port for traceroute(8)
    ... UDP and TCP traceroutes. ... on the transport layer destination port. ... increments the port with each packet sent out. ... screws up our ability to traceroute a specific port. ...
    (freebsd-net)
  • Re: Ports to block for CheckPoint Firewall?
    ... > did not know we left port 1434/UDP open in the firewall, ... in/out on port 1434. ... Allow ICMP type 3 incoming; ... Block UDP NetBIOS 135-139 in/out ...
    (comp.security.firewalls)
  • Dead Thread: New piece of spyware?
    ... to all posters PLEASE do some homework before posting. ... port and include packet traces. ... get the ICMP type and code information. ...
    (Incidents)
  • Re: Trying to get ping to work through iptables.
    ... On Jan 6, 2009, at 9:56 AM, Martin McCormick wrote: ... Depending on what your needs are, I would block all ICMP packets except echo-request/reply and possibly traceroute. ... ICMP type 30 is "traceroute", which, again, you may substitute for '30' if you wish. ... rather than a rule in the chain. ...
    (Ubuntu)
  • Re: help with analysis of firewall log
    ... >> port attempts protocol explanation ... > My guess is this one is actually ICMP type 8, and not a port. ... the raw iptables log indicates it is UDP port 8. ...
    (comp.os.linux.security)