Firewall filtering - ICMP IPv4 fine-tuning

According to some sources on the internet:
https://tools.ietf.org/html/draft-ietf-opsec-icmp-filtering-04#section-2 (2013-2014)
https://www.net.in.tum.de/fileadmin/TUM/NET/NET-2016-09-1/NET-2016-09-1_01.pdf (2016)

IANA ICMP codes for reference:
https://www.iana.org/assignments/icmp-parameters/icmp-parameters.xml#icmp-parameters-types

Some ICMP types should be filtered or at least rate-limited, in OpenWrt you have SYN flood protection and rate limiting, but does it apply to ICMP as well?

By default no rules are set in /etc/config/firewall for ICMP except for IPv6 (required for it to work properly), the fact that there's no default rules for ICMPv4 makes me think that it isn't that important or that it's somehow implemented.. MTU Discovery is important for network performance after all, so should I start making some rules for ICMP (allow/forward/reject|block) or just leave it alone? (maybe there's an iptables rule, like using conntrack to allow further ICMP connections but only for established connections?)

As for the rules themselves, according to IETF and as far as I can see, it requires quite the number rules for outgoing/forwarded/incoming ICMP protocol connections, is that too much for just one protocol? (ICMPv6 has quite a few already)

That's untrue. Ping is allowed.

The received ICMP error would be related traffic the current session in question, so no rule would be needed.

Since your premises are incorrect...I honestly don't understand the rant.

config rule
	option name 'Allow-Ping'
	option src 'wan'
	option proto 'icmp'
	option icmp_type 'echo-request'
	option family 'ipv4'
	option target 'ACCEPT'

SYNs relate to TCP packets...and I only see rate limits on certain default rules (some of which happen to be ICMP)...so you lost me again...

1 Like

I have the feeling that these guidelines are meant for routers and firewalls forwarding general traffic, not for client routers, which mostly NAT.

MTU discovery will not work most likely, because not all routers on the path will support that. So there is not much you can do but send with the link MTU and let the routers on the way fragment accordingly.

Finally the OpenWrt comes with a firewall tuned to allow the minimum possible exposure to the internet. It's up to you to fine tune it to your needs.

2 Likes

Thank you, I'm not informed enough, it's just that I've found some information online over blocking ICMP, some sources said to block it more specifically... searching a bit more lead me to the sources I cited, I tried to search the forums and the documentation and I didn't find anything specific so I tried asking about it.. so thank you again.

1 Like

I've probably deleted the ICMPv4 ping rule, sorry about that, since it was mostly umodified I thought it was the default.

OK, so is it related to the point that ESTABLISHED connections will allow further ICMP requests within the same session? this is just to make sure I understood you.

I didn't see rate limits anywhere in my firewall file, and it doesn't seem like you can specify rate-limiting, unless you use netfilter, or maybe there are such rules in the output of fw3 print, so to my understanding you can't specify such rules in /etc/config/firewall.

Why not?


config rule
        option name 'Allow-ICMPv6-Input'
        option src 'wan'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        list icmp_type 'router-solicitation'
        list icmp_type 'neighbour-solicitation'
        list icmp_type 'router-advertisement'
        list icmp_type 'neighbour-advertisement'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

This one is the default, unless I changed the limit long time ago and I forgot about it.

2 Likes

It's the default, thank you.

1 Like

I would word it differently:

"It will allow ICMP-based error messages related to the same session to be received/forwarded."

See the information in the "RELATED" portion of Table 7-1 here: https://www.linuxtopia.org/Linux_Firewall_iptables/x1347.html

1 Like

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.