Interesting article about punching holes in firewalls...
m at rtij.nl
Tue Dec 19 19:53:19 CET 2006
Cedric Blancher wrote:
>>It is possible netfilter does this to accomodate bridging setups. Anyone
>>can comment on this? If this opens up the connection for any other ICMP
>>traffic, I think that's a bug. But I cannot imagine netfilter does this,
>>anyone know for sure?
>We also have a protocol problem here. However, as Pascal stated before,
>you can explicitly deny ICMP redirects.
>As a more general matter, ICMP filtering is tricky:
> . ICMP filtering can (and do) break connectivity: PPPoE users
> with broken PMTUD knows about it...
> . ICMP messages authentication is weak.
>On one hand we have a protocol we have to implement because we need it
>for IP to work smoothly, and on the other hand, it's quite easy to
>abuse. And we have to cope with it.
ICMP filtering is not tricky. Just remember the rules.
1) NEVER, EVER, EVER filter out fragmentation needed.
2) You may filter out ping, and the various destination unreachables,
the consequences are yours.
3) Everything else can be filtered without consequences.
If you mean, it is hard for a firewall to filter malicious ICMPs but not
beneign ICMPs, the we agree. I have not heard of an fragmentation needed
attack yet, but I can imagine it happening (analogous to the zero
But as Jozsef explained, iptables does check what it is possible, for
the rest we mostly have to live with it.
More information about the netfilter