Other ICMP types and portscans

sidetone

Daemon

Reaction score: 713
Messages: 1,557

I don't fully understand ICMP. Some Internet servers, as I've read, can function perfectly with ICMP completely blocked, but I don't necessarily want to block them all in my firewall.

Which ICMP types can be completely blocked (from any direction) to mitigate portscans?

Would blocking all ICMP (IPv4) types except echoreq (ping if needed for testing), and unreach restrict other typical needed protocols like for email and browsing?

icmp(4) is helpful that it lists ICMP types.

This is not a firewall specific question, I'm using PF, but this is also for IPFW or other firewalls.
 
  • Thanks
Reactions: Oko

kpa

Beastie's Twin

Reaction score: 1,840
Messages: 6,318

Google for "Path MTU discovery" and it all should become clearer why blocking ICMP can be really bad.
 
OP
sidetone

sidetone

Daemon

Reaction score: 713
Messages: 1,557

MTU path discovery uses ICMP type, unreach for IPv4. It doesn't specify is echoreq is also for MTU too. I'll go with allowing 'unreach' and maybe 'echoreq' for now.

For IPv6 it also uses timex and paramprob. Certain instances of IPv6 like server/client setups use routeradv, routersol, and neighbrsol. This is in the Book of PF, but it doesn't fully explain itself.

I looked it up, and MTU discovery is good for communicating to the sender that it received the message, so it doesn't send another one redundantly.
 

SirDice

Administrator
Staff member
Administrator
Moderator

Reaction score: 10,890
Messages: 36,805

Which ICMP types can be completely blocked (from any direction) to mitigate portscans?
Blocking ICMP won't mitigate portscans ;)

Nothing will, really. All you can do is make sure ports are closed and not accessible from the internet. But that won't stop portscans, at all.
 

Oko

Daemon

Reaction score: 793
Messages: 1,620

Code:
pass inet proto icmp all icmp-type 8 code 0
pass inet proto icmp all icmp-type unreach code needfrag
This is what I typically pass. icmp-type 8 is ping. Check out man pages for icmp(4) for list of types and codes.
 
OP
sidetone

sidetone

Daemon

Reaction score: 713
Messages: 1,557

They'll portscan as much as they want, I just want to reduce the ability for them to find open ports.

Here's what I was trying:
Code:
icmptypes="{ echoreq unreach }"
#....
block proto icmp no state
pass out inet proto icmp icmp-type $icmptypes keep state
echoreq is for ping, and unreach is for MTU path discovery on IPv4. I know the types are listed in the manpage, but adding codes looks good to this.

IPv6 requires more icmp-types for MTU and server-client configurations to get past the firewall, as I've described above. icmp6(4)
 

Oko

Daemon

Reaction score: 793
Messages: 1,620

They'll portscan as much as they want, I just want to reduce the ability for them to find open ports.

Here's what I was trying:
Code:
icmptypes="{ echoreq unreach }"
#....
block proto icmp no state
pass out inet proto icmp icmp-type $icmptypes keep state
echoreq is for ping, and unreach is for MTU path discovery on IPv4. I know the types are listed in the manpage, but adding codes looks good to this.

IPv6 requires more icmp-types for MTU and server-client configurations to get past the firewall, as I've described above. icmp6(4)

Be careful with my syntax. I am not using FreeBSD. The above is written on OpenBSD which is much newer.
 
OP
sidetone

sidetone

Daemon

Reaction score: 713
Messages: 1,557

From our PF examples, a lot is the same in the rules section. Numbers and names can be mixed in. The newer PF, does it require comas in lists? I omit arguments if they are not necessary, the simpler, the better. There's differences, but the book shows them, and they're mostly outside of the rules section.

In my rule, I blocked icmp in both directions (by omitting in and out), then put "no state" to prevent anything from coming back if I sent it out, to differ from a previous rule. "keep state" was to allow connections in that I initiated for those icmp(4) types to override the line before it.
 
Top