Print

Please login or register.
1 Hour 1 Day 1 Week 1 Month Forever
Login with username, password and session length

[Weaver]

On my Firebrick FB2700 router, I wish to block aliens from groping my address space with say inbound ICMP or ICMPv6 packets such as pings with echo request, or timestamp request it whatever it is. If I just do nothing and rely on the standard stateful behaviour of Dracula at the Window and the Virgin, where an insider initiating an outbound conversation creates a return inbound hole, then will all be well with all inbound ICMP packets too?

I do not want to mess up PMTUD or certain other useful things such as certain important error indicators inbound. So I do not want to to add an inbound ICMP block rule.

If I do nothing, and hope that Dracula at the Window and the Virgin will suffice to protect inbound, how could I test it? In particular I want to test that PMTUD still works in the inbound direction, so a remote correspondent can successfully discover downstream MTU.

[niemand]

Inbound PMTUD doesn't rely on inbound ICMP.

A stateful firewall should inspect ICMP when it arrives and confirm it's a legitimate response. PMTU for instance provides the first up to 576 bytes of the original request in the payload of the 'packet too big' message which allows SPI kit to confirm whether it's a legitimate response to an outbound packet.

Not sure of the specific software you mentioned. HTH.

[Weaver]

No, of course you’re right, inbound PMTUD does not rely on inbound ICMP, I must be going mad, did I say the wrong thing? It will want to see the outbound ICMP errors, surely.

I know I do not want to block absolutely all inbound Too Big and Unreachable etc ICMP messages mindlessly though.

So I am perhaps ok with standard stateful firewalling. The Firebrick is a hardware router, FB2700 from firebrick.co.uk. Unfortunately this is really a Firebrick-savvy question.

I still would feel better testing it to be safe, so that I do not fall into the hell of the brokenness bad people.

[burakkucat]

I think that DaveC might be the person to ask regarding Firebrick usage . . .

Any time that you would like a remote probing, just let me know the IPv4 address and I'll set something going. 

[Weaver]

The question is exactly what sanity checks should I do to make sure I have not messed things up?

Another way of thinking about it is that if there is a general commonality in default firewall settings and that is good enough for other people then defaults should be ok for me in the sense that ordinary protocol traffic patterns will not be messed up.

[jhm]

For my FB, there was a gotcha which resulted in:

http://ipv6-test.com

showing a problem with IPv6 connectivity - ICMP:

Your router or firewall is filtering ICMPv6 messages sent to your computer. An IPv6 host that cannot receive ICMP messages may encounter problems like some web pages loading partially or not at all.

The FB default is only ICMP, TCP and UDP but it wasn't very clear if ICMP is just IPv4 or IPv6 as well.  It turned out to be the former and it needed an explicit rule to allow ICMPv6.

With it fixed, the above website only shows lack of reverse DNS for IPv6 as an "issue" (being an IPv6 privacy address which changes when I reboot, albeit macOS apparently supports RFC7217 stable privacy addresses but I don't know why it doesn't work for me).  It's not really an issue as I understand it.