Re: ICMP and ipfw
- In reply to: Michael Sierchio : "Re: ICMP and ipfw"
- Go to: [ bottom of page ] [ top of archives ] [ this month ]
Date: Sun, 13 Mar 2022 18:15:53 UTC
On Sun, 13 Mar 2022 09:36:41 -0700 Michael Sierchio <kudzu@tenebras.com> wrote: > On Sun, Mar 13, 2022 at 6:06 AM LuMiWa <lumiwa@dismail.de> wrote: > > > Hi! > > > > I changed some settings in ipfw.rules: > > # ICMP > > $cmd 02300 deny log icmp from any to any icmptypes 8 > > $cmd 02350 deny log icmp from any to any icmptypes 0 > > $cmd 02400 allow ipv6-icmp from any to any icmp6types 128,129 > > $cmd 02500 allow icmp from any to any icmptypes 3,4,11 > > $cmd 02600 allow ipv6-icmp from any to any icmp6types 3 > > > > Than I tested on www.grc.com and I failed on Ping reply: > > Ping Reply: RECEIVED (FAILED) — Your system REPLIED to our Ping > > (ICMP Echo) requests, making it visible on the Internet. Most > > personal firewalls can be configured to block, drop, and ignore > > such ping requests in order to better hide systems from hackers. > > This is highly recommended since "Ping" is among the oldest and > > most common methods used to locate systems prior to further > > exploitation. > > > > I tried also icmptypes 8,0 and 0,0 but the same result. > > > > Are you sure you don't want to be able ping your ISP's next hop > router when diagnosing a problem? > > I don't at all agree with the advice that you should block ICMP types > 0,8 – they are useful and not harmful if you take appropriate > measures (rate limit replies, for example, so you aren't used in a > reflection attack). PING isn't the first choice for reconnaissance in > any case. This is in the category of conventional but misguided > "wisdom", like updating passwords based on the calendar. Does your > software really respond appropriately to Source Quench messages > (icmptype 4)? > > Better to have a blanket deny after explicit allows, like > > # permit some ICMP > > $cmd 02300 allow icmp from any to any icmptypes 0,3,4,11 in recv > $external_if > > $cmd 02350 allow icmp from any to any icmptypes 0,3,4,8,11 out xmit > $external_if > > $cmd 02400 allow ipv6-icmp from any to any icmp6types > 133,134,135,136,137 > > # deny ICMP > > $cmd 02505 deny log icmp from any to any in recv $external_if > > > > Make sure these are set > > net.inet.icmp.icmplim_output=1 > > net.inet.icmp.icmplim= (some reasonable and small number) > > net.inet6.icmp6.errppslimit (likewise) Thank you very much. It is in my help folder now :). -- "The comfort of the rich depends upon an abundant supply of the poor" --Voltaire