PF What are the optimal ICMP rules in pf.conf (for a web + mail server)?

dbdemon

dbdemon

In /etc/pf.conf I currently have:
Code: 
icmp_types = "{ echoreq unreach }"
...
pass inet proto icmp icmp-type $icmp_types
pass inet6 proto icmp6

However, I thought maybe it would be prudent to tighten up the IPv6 rule a bit, so I changed it to:

Code: 
icmp_types = "{ echoreq unreach }"
icmp6_types = "{ echoreq unreach timex paramprob routeradv routersol neighbrsol }"
...
pass inet proto icmp icmp-type $icmp_types
pass inet6 proto icmp6 icmp6-type $icmp6_types
(^^ edited to fix typo as pointed out by facedebouc )

However, that gave terrible results for the web server on https://internet.nl (failed both the IPv6 and HTTPS tests). So, it seems that was too restrictive.

What would be the required icmp6-types in this case? Or, is there any harm in just allowing all of them?
 
dbdemon said:
In /etc/pf.conf I currently have:
Code: 
icmp_types = "{ echoreq unreach }"
...
pass inet proto icmp icmp-type $icmp_types
pass inet6 proto icmp6

However, I thought maybe it would be prudent to tighten up the IPv6 rule a bit, so I changed it to:

Code: 
icmp_types = "{ echoreq unreach }"
icmp6_types = "{ echoreq unreach timex paramprob routeradv routersol neighbrsol }"
...
pass inet proto icmp icmp-type $icmp_types
pass inet6 proto icmp6 icmp6-type $icmp_types

However, that gave terrible results for the web server on https://internet.nl (failed both the IPv6 and HTTPS tests). So, it seems that was too restrictive.

What would be the required icmp6-types in this case? Or, is there any harm in just allowing all of them?
Click to expand...
It seems there is a typo in the pass inet6 rule.
 
facedebouc said:
It seems there is a typo in the pass inet6 rule.
Click to expand...
Ah, thank you for pointing that out. I think it must have been only when I reproduced the rule in my post above that I made the typo. I retried the internet.nl test and I now had:
Code: 
pass inet6 proto icmp6 icmp6-type $icmp6_types
... and it still gave me the same terrible score.
 
I get 100% with the same PF rule.
Code: 
# Allowed ICMP types
# The additional ICMPv6 types are for neighbor discovery (RFC 4861)
# see also  icmp6(4).
icmp_types  = "{ echoreq, unreach }"
icmp6_types = "{ echoreq, unreach, routeradv, neighbrsol, neighbradv }"

# Allow ICMP
pass inet proto icmp icmp-type $icmp_types
pass inet6 proto icmp6 icmp6-type $icmp6_types
 
Thanks again - adding your "neighbradv" icmp6-type gave me a good score again! So, I guess that's the one I was missing.
 
You must log in or register to reply here.
Back
Top