Re: [suse-security] Suse Firewall 2.6
these are icmp packets, "destination-unreachable". you probably have a policy on the output chain of DENY and don't let the icmp packets pass. you should NEVER NEVER NEVER block "destination-unreachable", and the following should also stay open: ipchains -A output -p icmp --icmp-type destination-unreachable -j ACCEPT ipchains -A output -p icmp --icmp-type source-quench -j ACCEPT ipchains -A output -p icmp --icmp-type time-exceeded -j ACCEPT ipchains -A output -p icmp --icmp-type parameter-problem -j ACCEPT ipchains -A output -p icmp --icmp-type echo-request -j ACCEPT and repeat that all for the input chain. martin madduck@madduck.net (greetings from the heart of the sun)
MaD dUCK started typing into the keyboard and wrote:
these are icmp packets, "destination-unreachable". you probably have a policy on the output chain of DENY and don't let the icmp packets pass. you should NEVER NEVER NEVER block "destination-unreachable", and the following should also stay open:
ipchains -A output -p icmp --icmp-type destination-unreachable -j ACCEPT ipchains -A output -p icmp --icmp-type source-quench -j ACCEPT ipchains -A output -p icmp --icmp-type time-exceeded -j ACCEPT ipchains -A output -p icmp --icmp-type parameter-problem -j ACCEPT ipchains -A output -p icmp --icmp-type echo-request -j ACCEPT
and repeat that all for the input chain.
Well thanks for the info. First of all I would like to understand 1) What is the reasoning to let the icmp pass ? 2) The same principle was working with the SuSEfirewall 2.1 in version 2.6 where and how do I define this ? Thanks -- Togan Muftuoglu toganm@turk.net It said "Needs Windows 98 or better." So I installed Linux... -o) /\\ _\_v The penguins are coming... the penguins are coming... ----------------------------------- 100% MS FREE Absolutely no component of Microsoft was used in the generation or posting of this e-mail. So it is virus free
mh. icmp messages are vital to most traffic on the network and they cannot really be used for hacking. of course, icmp floods (i.e. ping of death etc.) are based on them, but your system should be immune. anyway, destination-unreachable for instance is what you get back when you point netscape to http://i.dont.exist.com. it's a very low-level protocol, called the internet (protocol) control message protocol, so it is used at a level far below tcp/udp to handle control messages. i don't know where you firewall is setup. i assume you are using ipchains to configure it. so check /etc/rc.d/init.d/ipchains, /etc/ipchains*, and /etc/sysconfig/ipchains for lines similar to the ones below. let me know when you find a file that lists rules with or without the 'ipchains' in the beginning of the line. martin ps: even better signature :) madduck@madduck.net (greetings from the heart of the sun)
mh. icmp messages are vital to most traffic on the network and they cannot really be used for hacking. of course, icmp floods (i.e. ping of death etc.) are based on them, but your system should be immune. anyway, destination-unreachable for instance is what you get back when you point netscape to http://i.dont.exist.com. it's a very low-level protocol, called the internet (protocol) control message protocol, so it is used at a level far below tcp/udp to handle control messages.
i don't know where you firewall is setup. i assume you are using ipchains to configure it.
so check /etc/rc.d/init.d/ipchains, /etc/ipchains*, and /etc/sysconfig/ipchains for lines similar to the ones below. let me know when you find a file that lists rules with or without the 'ipchains' in the beginning of the line.
martin
Actually ICMP is a hackers best friend. You can discover what OS the remote end is runing, how a firewall is setup, all sorts of cool stuff. You can block 100% of icmp traffic, the only thing it "breaks" is path MTU (max transmit unit), some clients on crappy links will not be able to connect. Blocking the various things like dest unreach means clients will have to timeout instead of getting a "port unreachable" packet, this is basically a non issue in most cases. Personally I advocate blocking ALL icmp when possible, sure it breaks path mtu for some people, but in most cases they don't matter to to much =) -Kurt
i must admit you are right. there are advantages and there are disadvantages. i would then suggest only blocking dest-unreachable and time-exceeded for i don't believe they are part of a port/os sniff. correct me if i am wrong. martin madduck@madduck.net (greetings from the heart of the sun)
i must admit you are right. there are advantages and there are disadvantages. i would then suggest only blocking dest-unreachable and time-exceeded for i don't believe they are part of a port/os sniff. correct me if i am wrong.
port sniff yep. Check out firewalk http://securityportal.com/lskb/10000050/kben10000060.html
martin
-Kurt
MaD dUCK started typing into the keyboard and wrote:
mh. icmp messages are vital to most traffic on the network and they cannot really be used for hacking. of course, icmp floods (i.e. ping of death etc.) are based on them, but your system should be immune. anyway, destination-unreachable for instance is what you get back when you point netscape to http://i.dont.exist.com. it's a very low-level protocol, called the internet (protocol) control message protocol, so it is used at a level far below tcp/udp to handle control messages.
i don't know where you firewall is setup. i assume you are using ipchains to configure it.
No I am using SuSEfirewall (which is basicly creating the ipchains rules based on the info I provide in the rc.firewall.config (AFAIK)
so check /etc/rc.d/init.d/ipchains, /etc/ipchains*, and /etc/sysconfig/ipchains for lines similar to the ones below. let me know when you find a file that lists rules with or without the 'ipchains' in the beginning of the line.
Well attach is list of the output of "SuSEfirewall" run as /sbin/SuSEfirewall status which I am sure is not what you are looking for -- Togan Muftuoglu toganm@turk.net ps nosig is ok ? Chain input (policy DENY: 43 packets, 3166 bytes): pkts bytes target prot opt tosa tosx ifname mark outsize source destination ports 603 112K ACCEPT all ------ 0xFF 0x00 lo 0.0.0.0/0 0.0.0.0/0 n/a 0 0 DENY all ----l- 0xFF 0x00 * 213.153.146.12 0.0.0.0/0 n/a 0 0 DENY all ----l- 0xFF 0x00 * 127.0.0.0/8 0.0.0.0/0 n/a 0 0 DENY all ----l- 0xFF 0x00 * 0.0.0.0/0 127.0.0.0/8 n/a 0 0 ACCEPT icmp ------ 0xFF 0x00 * 0.0.0.0/0 213.153.146.12 0 -> * 43 2516 ACCEPT icmp ------ 0xFF 0x00 * 0.0.0.0/0 213.153.146.12 3 -> * 0 0 ACCEPT icmp ------ 0xFF 0x00 * 0.0.0.0/0 213.153.146.12 11 -> * 0 0 ACCEPT icmp ------ 0xFF 0x00 * 0.0.0.0/0 213.153.146.12 12 -> * 0 0 ACCEPT tcp -y--l- 0xFF 0x00 * 0.0.0.0/0 213.153.146.12 * -> 25 0 0 ACCEPT tcp ------ 0xFF 0x00 * 0.0.0.0/0 213.153.146.12 * -> 25 0 0 ACCEPT tcp -y--l- 0xFF 0x00 * 0.0.0.0/0 213.153.146.12 * -> 53 0 0 ACCEPT tcp ------ 0xFF 0x00 * 0.0.0.0/0 213.153.146.12 * -> 53 0 0 ACCEPT tcp -y--l- 0xFF 0x00 * 127.0.0.1 213.153.146.12 * -> 22 0 0 ACCEPT tcp ------ 0xFF 0x00 * 127.0.0.1 213.153.146.12 * -> 22 0 0 ACCEPT tcp -y--l- 0xFF 0x00 * 127.0.0.2 213.153.146.12 * -> 22 0 0 ACCEPT tcp ------ 0xFF 0x00 * 127.0.0.2 213.153.146.12 * -> 22 0 0 ACCEPT tcp -y--l- 0xFF 0x00 * 127.0.0.1 213.153.146.12 * -> 53 0 0 ACCEPT tcp ------ 0xFF 0x00 * 127.0.0.1 213.153.146.12 * -> 53 0 0 ACCEPT tcp -y--l- 0xFF 0x00 * 127.0.0.2 213.153.146.12 * -> 53 0 0 ACCEPT tcp ------ 0xFF 0x00 * 127.0.0.2 213.153.146.12 * -> 53 0 0 REJECT tcp -y---- 0xFF 0x00 * 0.0.0.0/0 0.0.0.0/0 * -> 113 0 0 DENY tcp -y--l- 0xFF 0x00 * 0.0.0.0/0 213.153.146.12 * -> 22 0 0 DENY tcp ------ 0xFF 0x00 * 0.0.0.0/0 213.153.146.12 * -> 22 0 0 DENY tcp -y--l- 0xFF 0x00 * 0.0.0.0/0 213.153.146.12 * -> 25 0 0 DENY tcp ------ 0xFF 0x00 * 0.0.0.0/0 213.153.146.12 * -> 25 0 0 DENY tcp -y--l- 0xFF 0x00 * 0.0.0.0/0 213.153.146.12 * -> 37 0 0 DENY tcp ------ 0xFF 0x00 * 0.0.0.0/0 213.153.146.12 * -> 37 0 0 DENY tcp -y--l- 0xFF 0x00 * 0.0.0.0/0 213.153.146.12 * -> 80 0 0 DENY tcp ------ 0xFF 0x00 * 0.0.0.0/0 213.153.146.12 * -> 80 0 0 DENY tcp -y--l- 0xFF 0x00 * 0.0.0.0/0 213.153.146.12 * -> 110 0 0 DENY tcp ------ 0xFF 0x00 * 0.0.0.0/0 213.153.146.12 * -> 110 0 0 DENY tcp -y--l- 0xFF 0x00 * 0.0.0.0/0 213.153.146.12 * -> 111 0 0 DENY tcp ------ 0xFF 0x00 * 0.0.0.0/0 213.153.146.12 * -> 111 0 0 DENY tcp -y--l- 0xFF 0x00 * 0.0.0.0/0 213.153.146.12 * -> 113 0 0 DENY tcp ------ 0xFF 0x00 * 0.0.0.0/0 213.153.146.12 * -> 113 0 0 DENY tcp -y--l- 0xFF 0x00 * 0.0.0.0/0 213.153.146.12 * -> 443 0 0 DENY tcp ------ 0xFF 0x00 * 0.0.0.0/0 213.153.146.12 * -> 443 0 0 DENY tcp -y--l- 0xFF 0x00 * 0.0.0.0/0 213.153.146.12 * -> 444 0 0 DENY tcp ------ 0xFF 0x00 * 0.0.0.0/0 213.153.146.12 * -> 444 0 0 DENY tcp -y--l- 0xFF 0x00 * 0.0.0.0/0 213.153.146.12 * -> 515 0 0 DENY tcp ------ 0xFF 0x00 * 0.0.0.0/0 213.153.146.12 * -> 515 0 0 DENY tcp -y--l- 0xFF 0x00 * 0.0.0.0/0 213.153.146.12 * -> 1023 0 0 DENY tcp ------ 0xFF 0x00 * 0.0.0.0/0 213.153.146.12 * -> 1023 0 0 DENY tcp -y--l- 0xFF 0x00 * 0.0.0.0/0 213.153.146.12 * -> 2049 0 0 DENY tcp ------ 0xFF 0x00 * 0.0.0.0/0 213.153.146.12 * -> 2049 0 0 DENY tcp -y--l- 0xFF 0x00 * 0.0.0.0/0 213.153.146.12 * -> 4557 0 0 DENY tcp ------ 0xFF 0x00 * 0.0.0.0/0 213.153.146.12 * -> 4557 0 0 DENY tcp -y--l- 0xFF 0x00 * 0.0.0.0/0 213.153.146.12 * -> 4559 0 0 DENY tcp ------ 0xFF 0x00 * 0.0.0.0/0 213.153.146.12 * -> 4559 0 0 DENY tcp -y--l- 0xFF 0x00 * 0.0.0.0/0 213.153.146.12 * -> 6000 0 0 DENY tcp ------ 0xFF 0x00 * 0.0.0.0/0 213.153.146.12 * -> 6000 0 0 DENY tcp -y--l- 0xFF 0x00 * 0.0.0.0/0 213.153.146.12 * -> 6711 0 0 DENY tcp ------ 0xFF 0x00 * 0.0.0.0/0 213.153.146.12 * -> 6711 0 0 DENY tcp -y--l- 0xFF 0x00 * 0.0.0.0/0 213.153.146.12 * -> 7101 0 0 DENY tcp ------ 0xFF 0x00 * 0.0.0.0/0 213.153.146.12 * -> 7101 0 0 DENY tcp -y--l- 0xFF 0x00 * 0.0.0.0/0 213.153.146.12 * -> 10000 0 0 DENY tcp ------ 0xFF 0x00 * 0.0.0.0/0 213.153.146.12 * -> 10000 1020 661K ACCEPT tcp !y---- 0xFF 0x00 * 0.0.0.0/0 213.153.146.12 * -> 600:65535 0 0 ACCEPT tcp !y---- 0xFF 0x00 * 0.0.0.0/0 213.153.146.12 * -> 20 0 0 ACCEPT udp ------ 0xFF 0x00 * 0.0.0.0/0 213.153.146.12 * -> 53 0 0 ACCEPT udp ------ 0xFF 0x00 * 127.0.0.1 213.153.146.12 * -> 514 0 0 ACCEPT udp ------ 0xFF 0x00 * 127.0.0.2 213.153.146.12 * -> 514 0 0 ACCEPT udp ------ 0xFF 0x00 * 127.0.0.1 213.153.146.12 * -> 37 0 0 ACCEPT udp ------ 0xFF 0x00 * 127.0.0.2 213.153.146.12 * -> 37 0 0 ACCEPT udp ------ 0xFF 0x00 * 127.0.0.1 213.153.146.12 * -> 4000 0 0 ACCEPT udp ------ 0xFF 0x00 * 127.0.0.2 213.153.146.12 * -> 4000 37 6890 ACCEPT udp ------ 0xFF 0x00 * 0.0.0.0/0 0.0.0.0/0 * -> 1024 0 0 DENY udp ----l- 0xFF 0x00 * 0.0.0.0/0 213.153.146.12 * -> 37 0 0 DENY udp ----l- 0xFF 0x00 * 0.0.0.0/0 213.153.146.12 * -> 111 0 0 DENY udp ----l- 0xFF 0x00 * 0.0.0.0/0 213.153.146.12 * -> 1020 0 0 DENY udp ----l- 0xFF 0x00 * 0.0.0.0/0 213.153.146.12 * -> 1024 0 0 DENY udp ----l- 0xFF 0x00 * 0.0.0.0/0 213.153.146.12 * -> 2049 0 0 DENY udp ----l- 0xFF 0x00 * 0.0.0.0/0 213.153.146.12 * -> 10000 7 883 ACCEPT udp ------ 0xFF 0x00 * 0.0.0.0/0 213.153.146.12 * -> 1024:65535 0 0 DENY all ------ 0xFF 0x00 * 0.0.0.0/0 255.255.255.255 n/a 0 0 DENY all ------ 0xFF 0x00 * 255.255.255.255 0.0.0.0/0 n/a 0 0 DENY all ------ 0xFF 0x00 * 0.0.0.0/0 !213.153.146.12 n/a 0 0 DENY icmp ----l- 0xFF 0x00 * 0.0.0.0/0 0.0.0.0/0 4 -> * 0 0 DENY icmp ----l- 0xFF 0x00 * 0.0.0.0/0 0.0.0.0/0 5 -> * 0 0 DENY icmp ----l- 0xFF 0x00 * 0.0.0.0/0 0.0.0.0/0 8 -> * 0 0 DENY icmp ----l- 0xFF 0x00 * 0.0.0.0/0 0.0.0.0/0 11 -> * 0 0 DENY tcp ------ 0xFF 0x00 * 0.0.0.0/0 0.0.0.0/0 * -> 135:139 0 0 DENY tcp -y--l- 0xFF 0x00 * 0.0.0.0/0 0.0.0.0/0 * -> * 0 0 DENY udp ------ 0xFF 0x00 * 0.0.0.0/0 0.0.0.0/0 * -> 135:139 0 0 DENY udp ----l- 0xFF 0x00 * 0.0.0.0/0 0.0.0.0/0 * -> * 0 0 DENY all ------ 0xFF 0x00 * 0.0.0.0/0 0.0.0.0/0 n/a Chain forward (policy DENY: 0 packets, 0 bytes): pkts bytes target prot opt tosa tosx ifname mark outsize source destination ports 0 0 DENY tcp -y--l- 0xFF 0x00 * 0.0.0.0/0 0.0.0.0/0 * -> * 0 0 DENY all ------ 0xFF 0x00 * 0.0.0.0/0 0.0.0.0/0 n/a Chain output (policy ACCEPT: 2711 packets, 224776 bytes): pkts bytes target prot opt tosa tosx ifname mark outsize source destination ports 603 112K ACCEPT all ------ 0xFF 0x00 lo 0.0.0.0/0 0.0.0.0/0 n/a 0 0 DENY icmp ----l- 0xFF 0x00 * 213.153.146.12 0.0.0.0/0 11 -> * 3 436 DENY icmp ----l- 0xFF 0x00 * 213.153.146.12 0.0.0.0/0 3 -> * 0 0 ACCEPT icmp ------ 0xFF 0x00 * 0.0.0.0/0 0.0.0.0/0 * -> * 0 0 ACCEPT tcp ------ 0x01 0x10 * 0.0.0.0/0 0.0.0.0/0 22 -> * 0 0 ACCEPT tcp ------ 0x01 0x10 * 0.0.0.0/0 0.0.0.0/0 * -> 22 0 0 ACCEPT udp ------ 0x01 0x14 * 0.0.0.0/0 0.0.0.0/0 * -> 514 0 0 ACCEPT udp ------ 0x01 0x14 * 0.0.0.0/0 0.0.0.0/0 * -> 162 0 0 ACCEPT tcp ------ 0x01 0x08 * 0.0.0.0/0 0.0.0.0/0 20 -> * 0 0 ACCEPT tcp ------ 0x01 0x08 * 0.0.0.0/0 0.0.0.0/0 80 -> *
MaD dUCK
ipchains -A output -p icmp --icmp-type destination-unreachable -j ACCEPT ipchains -A output -p icmp --icmp-type source-quench -j ACCEPT ipchains -A output -p icmp --icmp-type time-exceeded -j ACCEPT ipchains -A output -p icmp --icmp-type parameter-problem -j ACCEPT ipchains -A output -p icmp --icmp-type echo-request -j ACCEPT
and repeat that all for the input chain.
You _can_ repeat that for the input chain, but you _should_ restrict incoming echo-requests: ipchains -A input -p icmp --icmp-type echo-request -s $INTERNAL_NET -j ACCEPT where $INTERNAL_NET is your internal network. For an answer to echo-requests from a host in your internal network to your packetfiltering firewall you also need ipchains -A output -p icmp --icmp-type echo-reply -j ACCEPT Martin -- martin.peikert@innominate.de system engineer innominate AG clustering & security networking people tel: +49.30.308806-0 fax: -77 http://innominate.de
participants (4)
-
Kurt Seifried
-
MaD dUCK
-
Martin Peikert
-
Togan Muftuoglu