ICMP Type 3

[Guest]

Archived from groups: comp.security.firewalls (More info?)

I know this has been discussed before, but I'm still not clear on things,
and after Googling quite a bit I can't find any good answers..

I'm under the impression that one should allow ICMP type 3 both in and out
thru the firewall. I'm using Kerio here, so I set up a rule to allow type
3 incoming and outgoing to any address.

At first, I only saw outbound type 3 to my DNS servers. That was it. Now,
after some time allowing it outbound, I'm also starting to see other
destination addresses as well. More and more of them.

My question is this: Is there any harm in allowing outbound ICMP type 3 to
all these various destinations besides my DNS servers? I have no idea if
this is good or bad.

Comments please?

 

[Guest]

Archived from groups: comp.security.firewalls (More info?)

Kerodo wrote:

> I know this has been discussed before, but I'm still not clear on things,
> and after Googling quite a bit I can't find any good answers..
>
> I'm under the impression that one should allow ICMP type 3 both in and out
> thru the firewall. I'm using Kerio here, so I set up a rule to allow type
> 3 incoming and outgoing to any address.

I prefer allowing "Destination Unreachable", so long as it applies to a
connection request. I use IPTables, so this means:

iptables -A INPUT -i eth0 -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A OUTPUT -o eth0 -m state --state NEW,ESTABLISHED,RELATED -j
ACCEPT

This allows me to allow traffic based on abstract ideas rather than rigid
rules. Since ICMP type 3 would be considered RELATED if I had requested a
connection from them (OUTPUT NEW), it's allowed in. Beyond that, I also
tend to allow all ICMP traffic to my router, i.e. if my internet IP is
24.240.225.80, my ISP's router would be 24.240.225.1.

>
> At first, I only saw outbound type 3 to my DNS servers.

? That would be sent maybe if your request had no DNS name-to-IP resolution,
but Destination Unreachable is more for servers to tell you that they don't
want you to connect.

> That was it.
> Now, after some time allowing it outbound, I'm also starting to see other
> destination addresses as well. More and more of them.
>
> My question is this: Is there any harm in allowing outbound ICMP type 3
> to
> all these various destinations besides my DNS servers?

So long as it applies to an already attempted connection, then my opinion is
yes. However, since you probably don't have that ability with Kerio, I'd
only allow it to your ISP's IP range.
But another thing is you might also want to limit ICMP response rate to 1
per minute, but you can't do that with Kerio. However, you can do it with
IPTables.

> I have no idea if
> this is good or bad.
>
> Comments please?

--
Mother told me to be good, but she's been wrong before.

 

[Bob]

Archived from groups: comp.security.firewalls (More info?)

On Tue, 06 Apr 2004 08:08:47 GMT, Kerodo
<kerodo~nospam~kenny@hotmail.com> wrote:

>I know this has been discussed before, but I'm still not clear on things,
>and after Googling quite a bit I can't find any good answers..
>
>I'm under the impression that one should allow ICMP type 3 both in and out
>thru the firewall. I'm using Kerio here, so I set up a rule to allow type
>3 incoming and outgoing to any address.
>
>At first, I only saw outbound type 3 to my DNS servers. That was it. Now,
>after some time allowing it outbound, I'm also starting to see other
>destination addresses as well. More and more of them.
>
>My question is this: Is there any harm in allowing outbound ICMP type 3 to
>all these various destinations besides my DNS servers? I have no idea if
>this is good or bad.
>
>Comments please?

I'm using Kerio 215 but this should correlate to other Fw's.

Inbound ICMP 0,3,11 permit
Outbound ICMP 0,3,8 permit
Other ICMP 'ALL' deny

I've been using these ICMP settings, basic guidance from Sponge,
for several months without problems.

BoB

 

[Guest]

Archived from groups: comp.security.firewalls (More info?)

BoB wrote:
> On Tue, 06 Apr 2004 08:08:47 GMT, Kerodo
> <kerodo~nospam~kenny@hotmail.com> wrote:
>
> I'm using Kerio 215 but this should correlate to other Fw's.
>
> Inbound ICMP 0,3,11 permit
> Outbound ICMP 0,3,8 permit
> Other ICMP 'ALL' deny
>
> I've been using these ICMP settings, basic guidance from Sponge,
> for several months without problems.

One thing... you wouldn't really need type 0 outbound if you didn't have
type 8 allowed inbound, right?

 

[Guest]

Archived from groups: comp.security.firewalls (More info?)

BoB wrote:

> I'm using Kerio 215 but this should correlate to other Fw's.
>
> Inbound ICMP 0,3,11 permit
> Outbound ICMP 0,3,8 permit
> Other ICMP 'ALL' deny
>
> I've been using these ICMP settings, basic guidance from Sponge,
> for several months without problems.

Just for fun, have Kerio log your Type 3 rule traffic and see where the
outbound type 3's are going. That's what I'm interested in. I don't
see any reason why my computer should be sending any packets to anyone
unless it's perhaps my DNS servers.

 

[Guest]

Archived from groups: comp.security.firewalls (More info?)

NeoSadist <neosad1st@charter.net> wrote in
news:1075muh7q4kam8a@corp.supernews.com:

>>
>> My question is this: Is there any harm in allowing outbound ICMP
>> type 3 to
>> all these various destinations besides my DNS servers?
>
> So long as it applies to an already attempted connection, then my
> opinion is yes. However, since you probably don't have that ability
> with Kerio, I'd only allow it to your ISP's IP range.
> But another thing is you might also want to limit ICMP response rate
> to 1 per minute, but you can't do that with Kerio. However, you can
> do it with IPTables.
>
Thanks for your input.. I think I'll just allow it to my ISP's DNS servers
and see what happens. I guess I don't understand it much. I can't figure
out what's making my system want to send it out to these other IPs in the
first place. I'm an accountant and not a network specialist, so my
knowledge is very limited...

 

[Guest]

Archived from groups: comp.security.firewalls (More info?)

NeoSadist wrote:
> So long as it applies to an already attempted connection, then my opinion is
> yes. However, since you probably don't have that ability with Kerio, I'd
> only allow it to your ISP's IP range.
> But another thing is you might also want to limit ICMP response rate to 1
> per minute, but you can't do that with Kerio. However, you can do it with
> IPTables.

I found out what the problem was. In my Kerio rules for DNS, I was
allowing anything with a remote port of 53 to come in. Apparently the
messenger spammers are using this trick to get by firewall rules.
They're using port 53 so that it looks like it's incoming DNS to the
firewall and it gets thru. This was then generating some kind of ICMP
type 3 (port unavailable or something like that) which I was also
allowing to go out. So I guess they were getting some kind of feedback
from my system, if they were bothering to pay any attention to it.

No harm was done, but it was a good example of how one needs to check
firewall rules. Now I am only allowing DNS on remote port 53 from my
DNS servers addresses. That seems to have solved the problem..

 

[Guest]

Archived from groups: comp.security.firewalls (More info?)

BoB <me@privacy.net> wrote in
news:q2267095eb362ssj55jcb83d9eu8ashhiq@4ax.com:

> On Tue, 06 Apr 2004 08:08:47 GMT, Kerodo
> <kerodo~nospam~kenny@hotmail.com> wrote:
> I'm using Kerio 215 but this should correlate to other Fw's.
>
> Inbound ICMP 0,3,11 permit
> Outbound ICMP 0,3,8 permit
> Other ICMP 'ALL' deny
>
> I've been using these ICMP settings, basic guidance from Sponge,
> for several months without problems.
>

Yes, I'm using Kerio 2.1.5 as well, and with the same ICMP rules you stated
above. I'm just wondering why my machine is sending type 3's out to
various destinations. I guess I don't really understand what's going on.

 

[Guest]

Archived from groups: comp.security.firewalls (More info?)

>BoB <me@privacy.net> wrote in
>news:q2267095eb362ssj55jcb83d9eu8ashhiq@4ax.com:
>
>> On Tue, 06 Apr 2004 08:08:47 GMT, Kerodo
>> <kerodo~nospam~kenny@hotmail.com> wrote:
>> I'm using Kerio 215 but this should correlate to other Fw's.
>>
>> Inbound ICMP 0,3,11 permit
>> Outbound ICMP 0,3,8 permit
>> Other ICMP 'ALL' deny

AFAIK if you don't permit type 8 inbound, you don't need to permit
type 0 outbound.

>> I've been using these ICMP settings, basic guidance from Sponge,
>> for several months without problems.
>>
On Tue, 06 Apr 2004 22:23:21 GMT, Kerodo
<kerodo~nospam~kenny@hotmail.com> wrote:
>
>Yes, I'm using Kerio 2.1.5 as well, and with the same ICMP rules you stated
>above. I'm just wondering why my machine is sending type 3's out to
>various destinations. I guess I don't really understand what's going on.

It could be P2P clients trying to connect to the last machine that had
your IP addy. Type 3 just tells them to sod off.

Klosterheim

 

[Guest]

Archived from groups: comp.security.firewalls (More info?)

Kerodo wrote:

> I found out what the problem was. In my Kerio rules for DNS, I was
> allowing anything with a remote port of 53 to come in.

Yeah, that's NOT good.... You need to find the DNS servers your ISP uses,
and use only those for incoming and outgoing 53 UDP.

> Apparently the
> messenger spammers are using this trick to get by firewall rules.
> They're using port 53 so that it looks like it's incoming DNS to the
> firewall and it gets thru. This was then generating some kind of ICMP
> type 3 (port unavailable or something like that) which I was also
> allowing to go out. So I guess they were getting some kind of feedback
> from my system, if they were bothering to pay any attention to it.
>
> No harm was done, but it was a good example of how one needs to check
> firewall rules. Now I am only allowing DNS on remote port 53 from my
> DNS servers addresses. That seems to have solved the problem..

--
"What's the use of a good quotation if you can't change it?"
-- Dr. Who

 

[Bob]

Archived from groups: comp.security.firewalls (More info?)

On Tue, 06 Apr 2004 17:16:55 -0700, Kerodo
<kerodo~nospam~kenny@hotmail.com> wrote:

>BoB wrote:
>
>> I'm using Kerio 215 but this should correlate to other Fw's.
>>
>> Inbound ICMP 0,3,11 permit
>> Outbound ICMP 0,3,8 permit
>> Other ICMP 'ALL' deny
>>
>> I've been using these ICMP settings, basic guidance from Sponge,
>> for several months without problems.
>
>Just for fun, have Kerio log your Type 3 rule traffic and see where the
>outbound type 3's are going. That's what I'm interested in. I don't
>see any reason why my computer should be sending any packets to anyone
>unless it's perhaps my DNS servers.

Okay, check back. When I have logged anything, I'll post it on
this thread.

BoB

 

[Bob]

Archived from groups: comp.security.firewalls (More info?)

On Tue, 06 Apr 2004 15:43:57 -0700, Kerodo
<kerodo~nospam~kenny@hotmail.com> wrote:

>BoB wrote:
>> On Tue, 06 Apr 2004 08:08:47 GMT, Kerodo
>> <kerodo~nospam~kenny@hotmail.com> wrote:
>>
>> I'm using Kerio 215 but this should correlate to other Fw's.
>>
>> Inbound ICMP 0,3,11 permit
>> Outbound ICMP 0,3,8 permit
>> Other ICMP 'ALL' deny
>>
>> I've been using these ICMP settings, basic guidance from Sponge,
>> for several months without problems.
>
>One thing... you wouldn't really need type 0 outbound if you didn't have
>type 8 allowed inbound, right?

Since I've seen this comment from several sources since Nov '03
I'll assume they are correct and remove it. Only because it probably
redundant, not that it creates a problem other than the same comment
each time.

BoB

 

[Guest]

Archived from groups: comp.security.firewalls (More info?)

NeoSadist wrote:
> Kerodo wrote:
>
>
>>I found out what the problem was. In my Kerio rules for DNS, I was
>>allowing anything with a remote port of 53 to come in.
>
>
> Yeah, that's NOT good.... You need to find the DNS servers your ISP uses,
> and use only those for incoming and outgoing 53 UDP.
>
Apparently I need to do the same thing for DHCP too...

 

[Guest]

Archived from groups: comp.security.firewalls (More info?)

BoB <me@privacy.net> wrote in
news:544870tj6ppo2pudjtipd3eg577i6t149f@4ax.com:

>>Just for fun, have Kerio log your Type 3 rule traffic and see where the
>>outbound type 3's are going. That's what I'm interested in. I don't
>>see any reason why my computer should be sending any packets to anyone
>>unless it's perhaps my DNS servers.
>
> Okay, check back. When I have logged anything, I'll post it on
> this thread.

The problem I was having here was that my DNS rule in Kerio wasn't set up
right. I didn't have my DNS servers addresses in the rule like I should.
Now everything's ok. No more outbound type 3 since I fixed that, other
than to my DNS servers that is...

 

[Bob]

Archived from groups: comp.security.firewalls (More info?)

On Wed, 07 Apr 2004 20:42:41 GMT, Kerodo
<kerodo~nospam~kenny@hotmail.com> wrote:

>BoB <me@privacy.net> wrote in
>news:544870tj6ppo2pudjtipd3eg577i6t149f@4ax.com:
>
>>>Just for fun, have Kerio log your Type 3 rule traffic and see where the
>>>outbound type 3's are going. That's what I'm interested in. I don't
>>>see any reason why my computer should be sending any packets to anyone
>>>unless it's perhaps my DNS servers.
>>
>> Okay, check back. When I have logged anything, I'll post it on
>> this thread.
>
>The problem I was having here was that my DNS rule in Kerio wasn't set up
>right. I didn't have my DNS servers addresses in the rule like I should.
>Now everything's ok. No more outbound type 3 since I fixed that, other
>than to my DNS servers that is...

That would do it.
This morning my log showed 10 trips to my ISP'S DNS server IP.
Glad your got that ironed out.

BoB

 

[Guest]

Archived from groups: comp.security.firewalls (More info?)

BoB <me@privacy.net> wrote in
news:ftta70d128unllhmhbcsketrttou553th9@4ax.com:

>>
>>The problem I was having here was that my DNS rule in Kerio wasn't set
>>up right. I didn't have my DNS servers addresses in the rule like I
>>should. Now everything's ok. No more outbound type 3 since I fixed
>>that, other than to my DNS servers that is...
>
> That would do it.
> This morning my log showed 10 trips to my ISP'S DNS server IP.
> Glad your got that ironed out.

Yep... Now if I could just figure out WHY my system is sending type 3's to
my DNS servers... I still don't understand that...

 

[Bob]

Archived from groups: comp.security.firewalls (More info?)

On Thu, 08 Apr 2004 22:32:21 GMT, Kerodo
<kerodo~nospam~kenny@hotmail.com> wrote:

>BoB <me@privacy.net> wrote in
>news:ftta70d128unllhmhbcsketrttou553th9@4ax.com:
>
>>>
>>>The problem I was having here was that my DNS rule in Kerio wasn't set
>>>up right. I didn't have my DNS servers addresses in the rule like I
>>>should. Now everything's ok. No more outbound type 3 since I fixed
>>>that, other than to my DNS servers that is...
>>
>> That would do it.
>> This morning my log showed 10 trips to my ISP'S DNS server IP.
>> Glad your got that ironed out.
>
>Yep... Now if I could just figure out WHY my system is sending type 3's to
>my DNS servers... I still don't understand that...

It is the reason I logged 10 queries to my DNS yesterday. Each time
I entered a url into my browser, or checked for an AV update, for
example, my computer sent out a DNS request to convert the address
into a numerical code that the computer can understand. If there is
a response within five seconds, the communication will be allowed.
All other DNS packets will be dropped. Were you to enter a numeric
IP address in your browser such as, 126.111.16.10 there would be no
need for a DNS lookup.

You also need to have a rule to block 'all' DNS traffic below your
rules for allowing DNS, as the rules are processed from the top down.

BoB