Kitz Forum

Internet => General Internet => Topic started by: Weaver on September 26, 2018, 01:00:19 PM

Title: Firewalling question
Post by: Weaver on September 26, 2018, 01:00:19 PM
On my Firebrick FB2700 router, I wish to block aliens from groping my address space with say inbound ICMP or ICMPv6 packets such as pings with echo request, or timestamp request it whatever it is. If I just do nothing and rely on the standard stateful behaviour of Dracula at the Window and the Virgin, where an insider initiating an outbound conversation creates a return inbound hole, then will all be well with all inbound ICMP packets too?

I do not want to mess up PMTUD or certain other useful things such as certain important error indicators inbound. So I do not want to to add an inbound ICMP block rule.

If I do nothing, and hope that Dracula at the Window and the Virgin will suffice to protect inbound, how could I test it? In particular I want to test that PMTUD still works in the inbound direction, so a remote correspondent can successfully discover downstream MTU.
Title: Re: Firewalling question
Post by: niemand on September 26, 2018, 01:29:38 PM
Inbound PMTUD doesn't rely on inbound ICMP.

A stateful firewall should inspect ICMP when it arrives and confirm it's a legitimate response. PMTU for instance provides the first up to 576 bytes of the original request in the payload of the 'packet too big' message which allows SPI kit to confirm whether it's a legitimate response to an outbound packet.

Not sure of the specific software you mentioned. HTH.
Title: Re: Firewalling question
Post by: Weaver on September 26, 2018, 01:32:32 PM
No, of course you’re right, inbound PMTUD does not rely on inbound ICMP, I must be going mad, did I say the wrong thing? It will want to see the outbound ICMP errors, surely.

I know I do not want to block absolutely all inbound Too Big and Unreachable etc ICMP messages mindlessly though.

So I am perhaps ok with standard stateful firewalling. The Firebrick is a hardware router, FB2700 from firebrick.co.uk. Unfortunately this is really a Firebrick-savvy question.

I still would feel better testing it to be safe, so that I do not fall into the hell of the brokenness bad people.
Title: Re: Firewalling question
Post by: burakkucat on September 26, 2018, 05:49:39 PM
I think that DaveC (https://forum.kitz.co.uk/index.php?action=profile;u=10444) might be the person to ask regarding Firebrick usage . . .

Any time that you would like a remote probing, just let me know the IPv4 address and I'll set something going.  ;)
Title: Re: Firewalling question
Post by: Weaver on September 26, 2018, 08:17:51 PM
The question is exactly what sanity checks should I do to make sure I have not messed things up?

Another way of thinking about it is that if there is a general commonality in default firewall settings and that is good enough for other people then defaults should be ok for me in the sense that ordinary protocol traffic patterns will not be messed up.
Title: Re: Firewalling question
Post by: jhm on September 26, 2018, 10:26:37 PM
For my FB, there was a gotcha which resulted in:

http://ipv6-test.com

showing a problem with IPv6 connectivity - ICMP:

Quote
Your router or firewall is filtering ICMPv6 messages sent to your computer. An IPv6 host that cannot receive ICMP messages may encounter problems like some web pages loading partially or not at all.

The FB default is only ICMP, TCP and UDP but it wasn't very clear if ICMP is just IPv4 or IPv6 as well.  It turned out to be the former and it needed an explicit rule to allow ICMPv6.

With it fixed, the above website only shows lack of reverse DNS for IPv6 as an "issue" (being an IPv6 privacy address which changes when I reboot, albeit macOS apparently supports RFC7217 stable privacy addresses but I don't know why it doesn't work for me).  It's not really an issue as I understand it.