Archived from groups: comp.security.firewalls (
More info?)
Thanks for your comments, I also agree with the point that we
are all learning and sharing information is a good thing
But I still do not understand "icmp data arrive through port 0 "
ICMP resides above IP protocol, and beside TCP & UDP.
ICMP means Internet Control Message Protocol, and isnt
used to exchange data, it is used to help hosts to know what
is happening.
Some way you may see ICMP get out of your box when
it receives a UDP or TCP packet on port 0 would be packets
ICMP Type 3 Code 3 (Port unreachable).
ex:
TCP foreignhost -> yourbox:0 (connect to port 0)
ICMP yourbox -> foreignhost (port is unreachable)
This would be normal behavior for a TCP/IP stack.
Another way that port was used is to set source port to
0 and send this packet to an opened port of a server
to determine its OS with its TCP/IP stack behavior.
ex:
TCP foreignhost:0 -> awebserver:80 (opened port)
TCP awebserver:80 -> foreignhost:1025 (the stack changed source port to
1025)
this article :
http://archives.neohapsis.com/archives/bugtraq/2002-10/0266.html
doesnt talk about ICMP, it talks about TCP flags combinations
to determine OS via its TCP/IP stack behavior.
It does talk about port 0 neither.
This article :
http://www.robertgraham.com/pubs/firewall-seen.html#2
indiquates
"Some firewalls (inaccurately) label ICMP fields as "ports". ICMP has no
ports like TCP or UDP, but it does have two fields called "type" and
"code"."
It gives an example about what I just explained, an ICMP reponse
is usually returned to the foreign host when there is a problem
(like host unreachable, port unreachable, protocol unreachable, ..,.)
with asked port. But this port can be anything between 0 and 65535.
I suggest more readings :
http://www.ietf.org/rfc/rfc1122.txt section 3.2.2
http://www.robertgraham.com/pubs/hacking-dict.html#icmp
http://www.thinkingsecure.com/docs/TCPIP-Illustrated-1/icmp_int.htm
http://www.citap.com/documents/tcp-ip/tcpip012.htm
And this one explains how to configure a linux firewall what to do
when it receives a TCP packet to a forbidden port which may
help to understand :
http://logi.cc/linux/reject_or_deny.html
We can either :
- Drop the packet (no answer to foreign)
- Send a TCP packet with RST flag to foreign
(means "my port is closed")
- Send an ICMP message with the correct type & code
saying "port is unreachable"
Hope this help again
Have a nice day
Maxime Ducharme
Programmeur / Spécialiste en sécurité réseau
"Purl Gurl" <purlgurl@purlgurl.net> wrote in message
news:40ACC01E.4E1AEF30@purlgurl.net...
> Maxime Ducharme wrote:
>
> > Purl Gurl wrote:
> > > Alan Illeman wrote:
>
> (snipped)
>
> > > > Can I survive if I block all ICMP requests?
>
> > ICMP does not include any ports.
>
> >
http://www.iana.org/assignments/icmp-parameters
>
> >
http://www.networkpenetration.com/port0.html
>
> Thank you, Maxime, for additional information.
> This benefits all readers. Like you, I encourage
> readers to follow those links and other links,
> to research, read and learn, keeping in mind
> each author will present his specific viewpoint.
> A variety of research sources will provide a
> much better generalized notion, and clarity.
>
> You will note in my articles I make a distinction
> between port zero and icmp packets. You will also
> discover I indicate historical hacks for icmp data
> arrive through port 0 which is well documented.
>
> You will discover by writing your own custom program
> there are a minimum of three responses through port 0
> which are icmp responses, types 13, 14 and 17.
>
> Perhaps it is each operating system handles port 0
> requests differently, leading to a default action
> which returns icmp responses. It is documented there
> is wide variation how each system, and each system
> version, handles port 0 inquiries, bidirectional.
>
> Unfortunately, none of us are experts are each and
> every system type out there.
>
> Your links provide additional information so readers
> can become better informed about this clouded issue.
>
> Standard issue advice is to close port 0 to all
> connections, and deny only selected icmp types.
> My previous articles add some information, albeit
> limited, why closing port 0 is preferred over
> denial of all icmp packets. Some system issues
> may come about thus my suggestion to test and
> note results.
>
> Readers will benefit by engaging in a detailed
> highly technical study of this, but expect to
> encounter some lack of clarity; there are many
> valid points of view on this.
>
>
> Purl Gurl