Some ICMP types should be filtered or at least rate-limited, in OpenWrt you have SYN flood protection and rate limiting, but does it apply to ICMP as well?
By default no rules are set in /etc/config/firewall for ICMP except for IPv6 (required for it to work properly), the fact that there's no default rules for ICMPv4 makes me think that it isn't that important or that it's somehow implemented.. MTU Discovery is important for network performance after all, so should I start making some rules for ICMP (allow/forward/reject|block) or just leave it alone? (maybe there's an iptables rule, like using conntrack to allow further ICMP connections but only for established connections?)
As for the rules themselves, according to IETF and as far as I can see, it requires quite the number rules for outgoing/forwarded/incoming ICMP protocol connections, is that too much for just one protocol? (ICMPv6 has quite a few already)
I have the feeling that these guidelines are meant for routers and firewalls forwarding general traffic, not for client routers, which mostly NAT.
MTU discovery will not work most likely, because not all routers on the path will support that. So there is not much you can do but send with the link MTU and let the routers on the way fragment accordingly.
Finally the OpenWrt comes with a firewall tuned to allow the minimum possible exposure to the internet. It's up to you to fine tune it to your needs.
Thank you, I'm not informed enough, it's just that I've found some information online over blocking ICMP, some sources said to block it more specifically... searching a bit more lead me to the sources I cited, I tried to search the forums and the documentation and I didn't find anything specific so I tried asking about it.. so thank you again.
I've probably deleted the ICMPv4 ping rule, sorry about that, since it was mostly umodified I thought it was the default.
OK, so is it related to the point that ESTABLISHED connections will allow further ICMP requests within the same session? this is just to make sure I understood you.
I didn't see rate limits anywhere in my firewall file, and it doesn't seem like you can specify rate-limiting, unless you use netfilter, or maybe there are such rules in the output of fw3 print, so to my understanding you can't specify such rules in /etc/config/firewall.
config rule
option name 'Allow-ICMPv6-Input'
option src 'wan'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
list icmp_type 'router-solicitation'
list icmp_type 'neighbour-solicitation'
list icmp_type 'router-advertisement'
list icmp_type 'neighbour-advertisement'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
This one is the default, unless I changed the limit long time ago and I forgot about it.