Manual instructions for icmp filter wrong?

GlueGuy · Sat Jun 02, 2007 8:03 pm

I was reviewing a new MT installation, with which I had installed the icmp filter chain per the 2.9 manual outline on page 446:

add chain=icmp protocol=icmp icmp-options=0:0 action=accept \
comment="drop invalid connections"
add chain=icmp protocol=icmp icmp-options=3:0 action=accept \
comment="allow established connections"
add chain=icmp protocol=icmp icmp-options=3:1 action=accept \
comment="allow already established connections"
add chain=icmp protocol=icmp icmp-options=4:0 action=accept \
comment="allow source quench"
add chain=icmp protocol=icmp icmp-options=8:0 action=accept \
comment="allow echo request"
add chain=icmp protocol=icmp icmp-options=11:0 action=accept \
comment="allow time exceed"
add chain=icmp protocol=icmp icmp-options=12:0 action=accept \
comment="allow parameter bad"
add chain=icmp action=drop comment="deny all other types"

The very first filter rule seems to be incorrect to me. The comment says "drop invalid connections", yet the action is "accept". This seems exactly backward.

However, I'm a relative newb, so I thought I would post this here for clarification.

andrewluck · Sun Jun 03, 2007 3:07 pm

Comments for the first three are incorrect. Rules are otherwise OK

Regards

Andrew

GlueGuy · Sun Jun 03, 2007 9:21 pm

So the first three rules' comments should be corrected to something like:

add chain=icmp protocol=icmp icmp-options=0:0 action=accept \
comment="Accept ping reply packets"
add chain=icmp protocol=icmp icmp-options=3:0 action=accept \
comment="Accept destination/net unreachable packets"
add chain=icmp protocol=icmp icmp-options=3:1 action=accept \
comment="Accept destination/host unreachable packets"

Which would make more sense than the ones that are there now?

Would it make sense to actually have a "drop invalid connections" rule for icmp packets preceding this? Or is there a good reason to not put an invalid connections rule for icmp packets?

changeip · Mon Jun 04, 2007 7:18 am

add chain=ICMP protocol=icmp icmp-options=8:0-255 limit=20,20 action=accept \
    comment="8:0 and limit for 5pac/s \(Echo - No Code\)" disabled=no 
add chain=ICMP protocol=icmp icmp-options=3:3 limit=30,5 action=accept \
    comment="3:3 and limit for 5pac/s \(Port Unreachable\)" disabled=no 
add chain=ICMP protocol=icmp icmp-options=11:0 limit=50,20 action=accept \
    comment="11:0 and limit for 5pac/s \(TTL Exceeded\)" disabled=no 
add chain=ICMP protocol=icmp icmp-options=0:0-255 limit=20,20 action=accept \
    comment="0:0 and limit for 5pac/s \(Echo Reply\)" disabled=no 
add chain=ICMP protocol=icmp icmp-options=3:0 limit=5,5 action=accept \
    comment="3:0 and limit for 5pac/s \(Net Unreachable\)" disabled=no 
add chain=ICMP protocol=icmp icmp-options=3:1 limit=5,5 action=accept \
    comment="3:1 and limit for 5pac/s \(Host Unreachable\)" disabled=no 
add chain=ICMP protocol=icmp icmp-options=3:4 limit=5,5 action=accept \
    comment="3:4 and limit for 5pac/s \(Frag Not Needed\)" disabled=no 
add chain=ICMP protocol=icmp icmp-options=3:13 limit=5,5 action=accept \
    comment="3:13 and limit for 5pac/s" disabled=no 
add chain=ICMP protocol=icmp icmp-options=3:10 limit=5,5 action=accept \
    comment="3:10 and limit for 5pac/s" disabled=no 
add chain=ICMP protocol=icmp limit=1,2 action=log log-prefix="" comment="log \
    it" disabled=no 
add chain=ICMP protocol=icmp action=drop comment="Drop everything else" \
    disabled=no

jump to this chain with proto=icmp in both the forward and input chains.

Manual instructions for icmp filter wrong?

Manual instructions for icmp filter wrong?

Re: Manual instructions for icmp filter wrong?

Re: Manual instructions for icmp filter wrong?

Re: Manual instructions for icmp filter wrong?

Who is online