Most enterprise firewalls block all traffic not explicitly allowed by a rule. Because of this, people often fail to make proper allowances for ICMP in their firewall rules.

The IETF has a great set of guidelines on ICMP filtering here: http://tools.ietf.org/html/draft-ietf-opsec-icmp-filtering-04

Some network guys will say, “I don’t want this server to be pinged or scanned from the internet, so I’m blocking ICMP.” Don’t be one of those guys. ICMP does more than just ping. ICMP provides a variety of other message types that help TCP/IP manage connections more efficiently. Blocking all ICMP reduces performance. Also, tools like nmap, as well as certain versions of traceroute, do not even need ICMP to successfully scan hosts and trace routes!

A better approach to firewalling ICMP:

Block the following ICMP message types:

Type Code Description Reason to Block
3 6 Destination Network Unknown denial-of-service, deprecated
3 7 Destination Host Unknown denial-of-service
3 8 Source Host Isolated denial-of-service, deprecated
4 0 Source Quench throughput-redirection attacks
http://tools.ietf.org/html/rfc5927
15 0 Information Request Message os / device fingerprinting, deprecated
16 0 Information Reply Message os / device fingerprinting, deprecated

Most of these have been deprecated out of either security concerns or obsolesence. This traffic can be safely dropped.

Rate-Limit all other ICMP message types.

Even though these message types are important to TCP/IP functioning properly, they can still be a vector for denial-of-service attacks if not rate-limited by the firewall device. A traffic shaping algorithm like HFSC or PRIQ can be used to limit bandwidth for specific types of traffic.

BONUS

While setting up your rate limiters, it is a good idea to create a small queue for TCP acknowledgements (ACK). This will make more efficient use of your bandwidth by ensuring that ACK packets arrive in a timely fashion–even during link saturation. Without an ACK reservation, senders may end up re-sending TCP packets that have already been received due to the corresponding ACK being dropped.

For those who insist on blocking ICMP, at the very least allow ICMP Type 3, Code 4 messages through the firewall for Path MTU Discovery. Without path MTU discovery, a TCP/IP session could be established with a larger packet size than what some devices in the route can handle.


← Older   Newer →

Leave a Reply


<a href="" title="">, <abbr title="">, <acronym title="">, <b>, <blockquote cite="">, <cite>, <code>, <del datetime="">, <em>, <i>, <q cite="">, <s>, <strike>, <strong>