ICMP Type 3

Archived from groups: comp.security.firewalls (More info?)

I know this has been discussed before, but I'm still not clear on things,
and after Googling quite a bit I can't find any good answers..

I'm under the impression that one should allow ICMP type 3 both in and out
thru the firewall. I'm using Kerio here, so I set up a rule to allow type
3 incoming and outgoing to any address.

At first, I only saw outbound type 3 to my DNS servers. That was it. Now,
after some time allowing it outbound, I'm also starting to see other
destination addresses as well. More and more of them.

My question is this: Is there any harm in allowing outbound ICMP type 3 to
all these various destinations besides my DNS servers? I have no idea if
this is good or bad.

Comments please?

Archived from groups: comp.security.firewalls (More info?)

Kerodo wrote:

> I know this has been discussed before, but I'm still not clear on things,
> and after Googling quite a bit I can't find any good answers..
>
> I'm under the impression that one should allow ICMP type 3 both in and out
> thru the firewall. I'm using Kerio here, so I set up a rule to allow type
> 3 incoming and outgoing to any address.

I prefer allowing "Destination Unreachable", so long as it applies to a
connection request. I use IPTables, so this means:

iptables -A INPUT -i eth0 -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A OUTPUT -o eth0 -m state --state NEW,ESTABLISHED,RELATED -j
ACCEPT

This allows me to allow traffic based on abstract ideas rather than rigid
rules. Since ICMP type 3 would be considered RELATED if I had requested a
connection from them (OUTPUT NEW), it's allowed in. Beyond that, I also
tend to allow all ICMP traffic to my router, i.e. if my internet IP is
24.240.225.80, my ISP's router would be 24.240.225.1.

>
> At first, I only saw outbound type 3 to my DNS servers.

? That would be sent maybe if your request had no DNS name-to-IP resolution,
but Destination Unreachable is more for servers to tell you that they don't
want you to connect.

> That was it.
> Now, after some time allowing it outbound, I'm also starting to see other
> destination addresses as well. More and more of them.
>
> My question is this: Is there any harm in allowing outbound ICMP type 3
> to
> all these various destinations besides my DNS servers?

So long as it applies to an already attempted connection, then my opinion is
yes. However, since you probably don't have that ability with Kerio, I'd
only allow it to your ISP's IP range.
But another thing is you might also want to limit ICMP response rate to 1
per minute, but you can't do that with Kerio. However, you can do it with
IPTables.

> I have no idea if
> this is good or bad.
>
> Comments please?

--
Mother told me to be good, but she's been wrong before.

Archived from groups: comp.security.firewalls (More info?)

On Tue, 06 Apr 2004 08:08:47 GMT, Kerodo
<kerodo~nospam~kenny@hotmail.com> wrote:

>I know this has been discussed before, but I'm still not clear on things,
>and after Googling quite a bit I can't find any good answers..
>
>I'm under the impression that one should allow ICMP type 3 both in and out
>thru the firewall. I'm using Kerio here, so I set up a rule to allow type
>3 incoming and outgoing to any address.
>
>At first, I only saw outbound type 3 to my DNS servers. That was it. Now,
>after some time allowing it outbound, I'm also starting to see other
>destination addresses as well. More and more of them.
>
>My question is this: Is there any harm in allowing outbound ICMP type 3 to
>all these various destinations besides my DNS servers? I have no idea if
>this is good or bad.
>
>Comments please?

I'm using Kerio 215 but this should correlate to other Fw's.

Inbound ICMP 0,3,11 permit
Outbound ICMP 0,3,8 permit
Other ICMP 'ALL' deny

I've been using these ICMP settings, basic guidance from Sponge,
for several months without problems.

BoB

Archived from groups: comp.security.firewalls (More info?)

BoB wrote:
> On Tue, 06 Apr 2004 08:08:47 GMT, Kerodo
> <kerodo~nospam~kenny@hotmail.com> wrote:
>
> I'm using Kerio 215 but this should correlate to other Fw's.
>
> Inbound ICMP 0,3,11 permit
> Outbound ICMP 0,3,8 permit
> Other ICMP 'ALL' deny
>
> I've been using these ICMP settings, basic guidance from Sponge,
> for several months without problems.

One thing... you wouldn't really need type 0 outbound if you didn't have
type 8 allowed inbound, right?

Archived from groups: comp.security.firewalls (More info?)

>BoB <me@privacy.net> wrote in
>news:q2267095eb362ssj55jcb83d9eu8ashhiq@4ax.com:
>
>> On Tue, 06 Apr 2004 08:08:47 GMT, Kerodo
>> <kerodo~nospam~kenny@hotmail.com> wrote:
>> I'm using Kerio 215 but this should correlate to other Fw's.
>>
>> Inbound ICMP 0,3,11 permit
>> Outbound ICMP 0,3,8 permit
>> Other ICMP 'ALL' deny

AFAIK if you don't permit type 8 inbound, you don't need to permit
type 0 outbound.

>> I've been using these ICMP settings, basic guidance from Sponge,
>> for several months without problems.
>>
On Tue, 06 Apr 2004 22:23:21 GMT, Kerodo
<kerodo~nospam~kenny@hotmail.com> wrote:
>
>Yes, I'm using Kerio 2.1.5 as well, and with the same ICMP rules you stated
>above. I'm just wondering why my machine is sending type 3's out to
>various destinations. I guess I don't really understand what's going on.

It could be P2P clients trying to connect to the last machine that had
your IP addy. Type 3 just tells them to sod off.

Klosterheim

Archived from groups: comp.security.firewalls (More info?)

Kerodo wrote:

> I found out what the problem was. In my Kerio rules for DNS, I was
> allowing anything with a remote port of 53 to come in.

Yeah, that's NOT good.... You need to find the DNS servers your ISP uses,
and use only those for incoming and outgoing 53 UDP.

> Apparently the
> messenger spammers are using this trick to get by firewall rules.
> They're using port 53 so that it looks like it's incoming DNS to the
> firewall and it gets thru. This was then generating some kind of ICMP
> type 3 (port unavailable or something like that) which I was also
> allowing to go out. So I guess they were getting some kind of feedback
> from my system, if they were bothering to pay any attention to it.
>
> No harm was done, but it was a good example of how one needs to check
> firewall rules. Now I am only allowing DNS on remote port 53 from my
> DNS servers addresses. That seems to have solved the problem..

--
"What's the use of a good quotation if you can't change it?"
-- Dr. Who

Archived from groups: comp.security.firewalls (More info?)

On Tue, 06 Apr 2004 15:43:57 -0700, Kerodo
<kerodo~nospam~kenny@hotmail.com> wrote:

>BoB wrote:
>> On Tue, 06 Apr 2004 08:08:47 GMT, Kerodo
>> <kerodo~nospam~kenny@hotmail.com> wrote:
>>
>> I'm using Kerio 215 but this should correlate to other Fw's.
>>
>> Inbound ICMP 0,3,11 permit
>> Outbound ICMP 0,3,8 permit
>> Other ICMP 'ALL' deny
>>
>> I've been using these ICMP settings, basic guidance from Sponge,
>> for several months without problems.
>
>One thing... you wouldn't really need type 0 outbound if you didn't have
>type 8 allowed inbound, right?

Since I've seen this comment from several sources since Nov '03
I'll assume they are correct and remove it. Only because it probably
redundant, not that it creates a problem other than the same comment
each time. :-)

BoB

Archived from groups: comp.security.firewalls (More info?)

NeoSadist wrote:
> Kerodo wrote:
>
>
>>I found out what the problem was. In my Kerio rules for DNS, I was
>>allowing anything with a remote port of 53 to come in.
>
>
> Yeah, that's NOT good.... You need to find the DNS servers your ISP uses,
> and use only those for incoming and outgoing 53 UDP.
>
Apparently I need to do the same thing for DHCP too...

Archived from groups: comp.security.firewalls (More info?)

BoB <me@privacy.net> wrote in
news:ftta70d128unllhmhbcsketrttou553th9@4ax.com:

>>
>>The problem I was having here was that my DNS rule in Kerio wasn't set
>>up right. I didn't have my DNS servers addresses in the rule like I
>>should. Now everything's ok. No more outbound type 3 since I fixed
>>that, other than to my DNS servers that is...
>
> That would do it. :-)
> This morning my log showed 10 trips to my ISP'S DNS server IP.
> Glad your got that ironed out.

Yep... Now if I could just figure out WHY my system is sending type 3's to
my DNS servers... I still don't understand that...