Kitz ADSL Broadband Information
adsl spacer  
Support this site
Home Broadband ISPs Tech Routers Wiki Forum
 
     
   Compare ISP   Rate your ISP
   Glossary   Glossary
 
Please login or register.

Login with username, password and session length
Advanced search  

News:

Author Topic: Firewalling question  (Read 428 times)

Weaver

  • Addicted Kitizen
  • *****
  • Posts: 6261
  • Retd sw dev; A&A; 4 × 7km ADSL2; IPv6; Firebrick
Firewalling question
« on: September 26, 2018, 01:00:19 PM »

On my Firebrick FB2700 router, I wish to block aliens from groping my address space with say inbound ICMP or ICMPv6 packets such as pings with echo request, or timestamp request it whatever it is. If I just do nothing and rely on the standard stateful behaviour of Dracula at the Window and the Virgin, where an insider initiating an outbound conversation creates a return inbound hole, then will all be well with all inbound ICMP packets too?

I do not want to mess up PMTUD or certain other useful things such as certain important error indicators inbound. So I do not want to to add an inbound ICMP block rule.

If I do nothing, and hope that Dracula at the Window and the Virgin will suffice to protect inbound, how could I test it? In particular I want to test that PMTUD still works in the inbound direction, so a remote correspondent can successfully discover downstream MTU.
« Last Edit: September 26, 2018, 01:41:46 PM by Weaver »
Logged

CarlT

  • Reg Member
  • ***
  • Posts: 886
  • Next generation network design and deployment
Re: Firewalling question
« Reply #1 on: September 26, 2018, 01:29:38 PM »

Inbound PMTUD doesn't rely on inbound ICMP.

A stateful firewall should inspect ICMP when it arrives and confirm it's a legitimate response. PMTU for instance provides the first up to 576 bytes of the original request in the payload of the 'packet too big' message which allows SPI kit to confirm whether it's a legitimate response to an outbound packet.

Not sure of the specific software you mentioned. HTH.
Logged
-----
Deploying better networks, not just faster ones.

Weaver

  • Addicted Kitizen
  • *****
  • Posts: 6261
  • Retd sw dev; A&A; 4 × 7km ADSL2; IPv6; Firebrick
Re: Firewalling question
« Reply #2 on: September 26, 2018, 01:32:32 PM »

No, of course you’re right, inbound PMTUD does not rely on inbound ICMP, I must be going mad, did I say the wrong thing? It will want to see the outbound ICMP errors, surely.

I know I do not want to block absolutely all inbound Too Big and Unreachable etc ICMP messages mindlessly though.

So I am perhaps ok with standard stateful firewalling. The Firebrick is a hardware router, FB2700 from firebrick.co.uk. Unfortunately this is really a Firebrick-savvy question.

I still would feel better testing it to be safe, so that I do not fall into the hell of the brokenness bad people.
« Last Edit: September 26, 2018, 01:40:41 PM by Weaver »
Logged

burakkucat

  • Global Moderator
  • Senior Kitizen
  • *
  • Posts: 23883
  • Over the Rainbow Bridge
    • The ELRepo Project
Re: Firewalling question
« Reply #3 on: September 26, 2018, 05:49:39 PM »

I think that DaveC might be the person to ask regarding Firebrick usage . . .

Any time that you would like a remote probing, just let me know the IPv4 address and I'll set something going.  ;)
Logged
:cat:  100% Linux and, previously, Unix. Co-founder of the ELRepo Project.

Please consider making a donation to support the running of this site.

Weaver

  • Addicted Kitizen
  • *****
  • Posts: 6261
  • Retd sw dev; A&A; 4 × 7km ADSL2; IPv6; Firebrick
Re: Firewalling question
« Reply #4 on: September 26, 2018, 08:17:51 PM »

The question is exactly what sanity checks should I do to make sure I have not messed things up?

Another way of thinking about it is that if there is a general commonality in default firewall settings and that is good enough for other people then defaults should be ok for me in the sense that ordinary protocol traffic patterns will not be messed up.
Logged

jhm

  • Member
  • **
  • Posts: 20
Re: Firewalling question
« Reply #5 on: September 26, 2018, 10:26:37 PM »

For my FB, there was a gotcha which resulted in:

http://ipv6-test.com

showing a problem with IPv6 connectivity - ICMP:

Quote
Your router or firewall is filtering ICMPv6 messages sent to your computer. An IPv6 host that cannot receive ICMP messages may encounter problems like some web pages loading partially or not at all.

The FB default is only ICMP, TCP and UDP but it wasn't very clear if ICMP is just IPv4 or IPv6 as well.  It turned out to be the former and it needed an explicit rule to allow ICMPv6.

With it fixed, the above website only shows lack of reverse DNS for IPv6 as an "issue" (being an IPv6 privacy address which changes when I reboot, albeit macOS apparently supports RFC7217 stable privacy addresses but I don't know why it doesn't work for me).  It's not really an issue as I understand it.
Logged