Other What ICMP packets do you allow with your firewall?

getopt

Aspiring Daemon

Reaction score: 655
Messages: 908

So an IETF bogons list would be more like this?
No. You are mixing up terms and lists.

A bogon is an illegitimate IP address that falls into a set of IP addresses that have not been officially assigned to an entity by an internet registration institute, such as the Internet Assigned Number Authority (IANA). Bogons arise as a result of a misconfiguration or intentional misuse that fools recipients about its source IP address. Bogon lists change daily and can be found there:

 

Alain De Vos

Son of Beastie

Reaction score: 995
Messages: 3,073

My current block list, it could be wrong, but everything seems to work:
Code:
cmd="/sbin/ipfw -q add"   # Set rules command prefix
pif="tun0"
### INCOMING
# Deny all inbound traffic from non-routable reserved address spaces
$cmd 03001 deny all from                 0.0.0.0/8   to any in via $pif #Loopback
$cmd 03002 deny all from               10.0.0.0/8   to any in via $pif #Private
$cmd 03003 deny all from           100.64.0.0/10 to any in via $pif #Private
$cmd 03004 deny all from             127.0.0.0/8   to any in via $pif #Loopback
$cmd 03005 deny all from         169.254.0.0/16 to any in via $pif #DHCPautoconfig
$cmd 03006 deny all from           172.16.0.0/12 to any in via $pif #Private
$cmd 03007 deny all from             192.0.0.0/24 to any in via $pif #Private
$cmd 03008 deny all from             192.0.2.0/24 to any in via $pif #Docs
$cmd 03009 deny all from         192.88.99.0/24 to any in via $pif #Reserved IPV6IPV4relay
$cmd 03010 deny all from         192.168.0.0/16 to any in via $pif #Private
$cmd 03011 deny all from           192.18.0.0/15 to any in via $pif #Private
$cmd 03012 deny all from       198.51.100.0/24 to any in via $pif #Docs
$cmd 03013 deny all from         203.0.113.0/24 to any in via $pif #Docs
$cmd 03015 deny all from             224.0.0.0/4   to any in via $pif #Multicast
$cmd 03016 deny all from         233.252.0.0/24 to any in via $pif #Docs
$cmd 03017 deny all from             240.0.0.0/4   to any in via $pif #Reserved Class E
$cmd 03018 deny all from 255.255.255.255/32 to any in via $pif #Reserved Broadcast
Even listening to online radio on firefox works.
 

smithi

New Member

Reaction score: 9
Messages: 18

My current block list, it could be wrong, but everything seems to work:
{ long list of rules }
Even listening to online radio on firefox works.
I should hope so <&^}=

Have a look at a recent /etc/rc.firewall 'simple' ruleset, which uses a table for the naughty nets, and a single rule to block the lot.

For one benefit, you can easily add an addr/mask to the table (or remove one) anytime without having to reload rules.
 

smithi

New Member

Reaction score: 9
Messages: 18

Poul-Henning Kamp wrote the default rules for the packet filters a long time ago. They were basic, but sound.

Indeed, though there were other major contributors. phk@ also later added the handy 'workstation' ruleset, which does handle ipv6 icmp.

Strangely though, the 'simple' ruleset has never passed any ipv4 icmp, so I always needed to modify
/etc/rc.firewall

It took julian@ years to get that use of a table in .. that code is very resistant to change.
Filtering "fragmentation-needed" (ICMP type 3/4) traffic is a BAD idea. So you can't just ignore ICMP.


Exactly. No point denying type 1 (destination unreachable) either. I allow myself and inside hosts to ping out and receive responses as well.
 

SirDice

Administrator
Staff member
Administrator
Moderator

Reaction score: 13,978
Messages: 40,708

Basically serverless DHCP. Each node picks an address in that range and does an ARP broadcast for it. If no one answers, it's available for use and the node grabs it.
Yep. But because of this (local) usage that range isn't being routed on the internet. So it's a good idea to block incoming connections from 169.254.0.0/16 on your WAN interface.
 

smithi

New Member

Reaction score: 9
Messages: 18

I detect some finger trouble there. "Destination Unreachable" is type 3. ICMP types 1-2 are unassigned.
Quite so. Confusion with ipv6, where type 1 is destination unreachable, phk@ had it right there.

Fingers ok, brain tired ...
 
Top