ICMP Filtering on a firewall

A. These icmp types are nice to allow:

# echo reply inbound:
# echo request:

B. You really need to allow these or else your network is not rfc-compliant and is quite broken and prone to mysterious problems that manifest themselves in strange, hard to troubleshoot ways like path mtu discovery. As a side note if you have hanging TCP connections, the old cultprit used to be ICMP filtering and path mtu blackholes, but unrelated problems withtcp window scaling and firewalls that filter these options on ip packets with tcp connection setup may be at fault.

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_tech_note09186a0080742d6e.shtml

From the doc:

dropped TCP connections [are] caused by some versions of PIX software not
supporting the TCP Window Scaling option. This causes it to have a much
smaller TCP window than the endpoints actually have. This causes the Cisco
PIX to drop packets that it believes are outside the TCP window, but which
really are not.

# Inbound can't fragment, among other messages:
# ttl exceeded:
# general parameter problem:

C. Here is the ruleset Richweb uses for icmp which works quite well. You could translate this to whatever firewall OS you use.

# echo reply inbound:
print qx{$FW -t filter -A INPUT -p icmp --icmp-type 0 -j ACCEPT};

# Inbound can't fragment, among other messages:
print qx{$FW -t filter -A INPUT -p icmp --icmp-type 3 -j ACCEPT};

# Inbound Sourch quench - no longer needed 2007/12/31:
# print qx{$FW -t filter -A INPUT -p icmp --icmp-type 4 -j ACCEPT};

# echo request:
print qx{$FW -t filter -A INPUT -p icmp --icmp-type 8 -j ACCEPT};

# ttl exceeded:
print qx{$FW -t filter -A INPUT -p icmp --icmp-type 11 -j ACCEPT};

# general parameter problem:
print qx{$FW -t filter -A INPUT -p icmp --icmp-type 12 -j ACCEPT};

# drop all other icmp:
print qx{$FW -t filter -A INPUT -p icmp -j DROP};

Here is a proper ruleset and config for a Cisco ASA firewall:

access-list inet_in extended permit icmp any any time-exceeded
access-list inet_in extended permit icmp any any unreachable
access-list inet_in extended permit icmp any any echo-reply
access-list inet_in extended permit icmp any any echo

policy-map global_policy
 class inspection_default
  inspect icmp

access-group inet_in in interface outside

From Our Clients...

Richweb rescued us when our previous service provider failed at a critical time for our business. Jon Larsen suggested an innovative fix that prevented further downtime and he and his team went above and beyond what other companies have done for us in the past. We're happy to be a new customer of Richweb.

Chris Metsala

http://www.caazone.com

www.richweb.com © 2009 Richweb, Inc. All Rights Reserved. login