I posed this questin a few days ago. I got no response, so I've been digging, and maybe I can ask a slightly different question. System: SuSE 6.4 running SuSEfirewall 4.2 Symptom: Output DENY messages when sending mail. I've also sometimes seen these directed at my ISP's DNS servers. When sending mail, I get four repetitions of the following, but the mail goes thru: output DENY ppp0 PROTO=1 my.ip.ad.dr:3 isp.smtp.ip.addr:3 L=108 S=0xC0 I=5893 F=0x0000 T= After reading thru SuSEfirewall, I discovered that the messages disappear when I set FW_ALLOW_FW_TRACEROUTE = "yes" , although my reading of the script looks like they're still being denied by the '# deny all other type 3' rule, which isn't logged. So it's transparent, with the same effect. I tried hacking the script, moving the $DENY port-unreachable $LDC just outside the bracket, and changing it to $ACCEPT port-unreachable $LAC. Now I can turn off FW_ALLOW_FW_TRACEROUTE again. I'm still invisible to traceroute, and sending mail gives me just one message in the log: output ACCEPT ppp0 PROTO=1 64.79.87.98:3 64.79.64.32:3 L=108 S=0xC0 I=26218 F=0x0000 T=255 (#3) The destination address is my ISP's mail relay host. So now my mail is going out without the delay of waiting for four timeouts. But I still have the question of what is going on here? I have not been able to find any documentation of the various parameters displayed with the log message. What port is my ISP's mail host trying to connect to, and why? Is this normal smtp behaviour? Can someone point me to the RFC that defines all the ICMP sub-types? -- Rick Green
I cant point you to the specific rfc but you can find all the rfc's here. http://www.landfield.com/rfcs/ it is searchable so you should find what you need, if i have time i will do some checking myself because it sounds interesting=) -Raphael ----- Original Message ----- From: "Rick Green" <rtg@mich.com> To: "suse-security" <suse-security@suse.com> Sent: Tuesday, January 23, 2001 7:04 PM Subject: [suse-security] ICMP filter in SuSEfirewall? (again)
I posed this questin a few days ago. I got no response, so I've been digging, and maybe I can ask a slightly different question.
System: SuSE 6.4 running SuSEfirewall 4.2
Symptom: Output DENY messages when sending mail. I've also sometimes seen these directed at my ISP's DNS servers.
When sending mail, I get four repetitions of the following, but the mail goes thru:
output DENY ppp0 PROTO=1 my.ip.ad.dr:3 isp.smtp.ip.addr:3 L=108 S=0xC0 I=5893 F=0x0000 T=
After reading thru SuSEfirewall, I discovered that the messages disappear when I set FW_ALLOW_FW_TRACEROUTE = "yes" , although my reading of the script looks like they're still being denied by the '# deny all other type 3' rule, which isn't logged. So it's transparent, with the same effect.
I tried hacking the script, moving the $DENY port-unreachable $LDC just outside the bracket, and changing it to $ACCEPT port-unreachable $LAC. Now I can turn off FW_ALLOW_FW_TRACEROUTE again. I'm still invisible to traceroute, and sending mail gives me just one message in the log:
output ACCEPT ppp0 PROTO=1 64.79.87.98:3 64.79.64.32:3 L=108 S=0xC0 I=26218 F=0x0000 T=255 (#3)
The destination address is my ISP's mail relay host.
So now my mail is going out without the delay of waiting for four timeouts. But I still have the question of what is going on here? I have not been able to find any documentation of the various parameters displayed with the log message. What port is my ISP's mail host trying to connect to, and why? Is this normal smtp behaviour?
Can someone point me to the RFC that defines all the ICMP sub-types?
-- Rick Green
--------------------------------------------------------------------- To unsubscribe, e-mail: suse-security-unsubscribe@suse.com For additional commands, e-mail: suse-security-help@suse.com
On Tue, 23 Jan 2001, Rick Green wrote:
Can someone point me to the RFC that defines all the ICMP sub-types?
Are these the definitions you mean? #define ICMP_ECHOREPLY 0 /* Echo Reply */ #define ICMP_DEST_UNREACH 3 /* Destination Unreachable */ #define ICMP_SOURCE_QUENCH 4 /* Source Quench */ #define ICMP_REDIRECT 5 /* Redirect (change route) */ #define ICMP_ECHO 8 /* Echo Request */ and so forth I took this from the kernel source tree in: /usr/data/src/linux-2.2.13.SuSE/include/net/icmp.h I just posted a similar question about these DENYs to the list, so sorry about the duplication. I am very interested to hear what the Destination Unreachable packets do for the ISP and for attackers. dproc
On Tue, 23 Jan 2001, dprocc wrote:
Are these the definitions you mean? #define ICMP_ECHOREPLY 0 /* Echo Reply */ #define ICMP_DEST_UNREACH 3 /* Destination Unreachable */ #define ICMP_SOURCE_QUENCH 4 /* Source Quench */ #define ICMP_REDIRECT 5 /* Redirect (change route) */ #define ICMP_ECHO 8 /* Echo Request */
and so forth
I took this from the kernel source tree in: /usr/data/src/linux-2.2.13.SuSE/include/net/icmp.h
I've got a good description of the basic ICMP types in Ziegler's book "Linux Firewalls", but I haven't found a definition of the message sub-types. It's probably in the Comer books, by my copy is in storage at the moment. It's probably in an RFC, and I have all of them loaded on my system, but I don't know which number is the most recent index. I haven't had any luck fishing. (Wouldn't it be nice if the kind folks at SuSE included a link in that RPM called INDEX, pointing to the most recent index/status RFC.) 'man ipchains' mentioned getting a list via 'ipchains -h icmp', which returned the following, in part: destination-unreachable network-unreachable host-unreachable protocol-unreachable port-unreachable fragmentation-needed source-route-failed network-unknown host-unknown network-prohibited host-prohibited TOS-network-unreachable TOS-host-unreachable communication-prohibited host-precedence-violation precedence-cutoff So now I got the names, I just need the definitions!
My understanding at this point is that ICMP destination unreachable (port unreachable) is essentially the difference between -j DENY and -j REJECT. A DENY'd packet is just dropped on the floor, while a REJECTed packet returns ICMP port unreachable. Somebody please tell me if I'm on the right track here! So I'm confused when it appears to me that SuSEfirewall is dropping all outgoing ICMP 3's except 'fragmentation needed' and 'communication prohibited'. So there would be no external difference between a DENY and a REJECT, right?
I just posted a similar question about these DENYs to the list, so sorry about the duplication. I am very interested to hear what the Destination Unreachable packets do for the ISP and for attackers.
A portscanner will get NO response, and will have to wait for a timeout, if packets are dropped, but will get an immediate ICMP destination unreachable if they are REJECTed. Steve Gibson, on his Shields Up! site (www.grc.com - publicly available portscanner) seems to think the stealth approach of no response is better protection. On the other hand, I'd rather be polite with those hosts that I'm intending to communicate with. FURTHER RESEARCH: Still trying to understand what's going on under the covers as I send mail, I ran tcpdump as I sent an e-mail, then viewed the resulting file with ethereal. I'm finding this to be a real educational tool! Ethereal maps out and interprets all the bits of each packet, so I'm learning bunches about the protocols. I found out that the ICMP destination unreachable was in response to my ISP's mail relay host attempting to connect to my ident server. This sounds like a reasonable behavior. But I'm not running an ident server, because I'd rather give out as little information as possible. I'm now thinking that it's time for me to graduate to a 2.4 kernel and iptables. I recently read something about 'stateful' rules in iptables, so I could conceivably have a default DENY for ident, yet open up a temporary ACCEPT for a specific IP address when I see an outgoing TCP SYN towards that IP address's mail (or dns) server. Kewl. Has anybody successfully upgraded SuSE 6.4 to kernel 2.4? Or would I be better off starting with a fresh SuSE 7.0 system? -- Rick Green
Hi, If you like a really comprehensive book, check out Eric A. Hall: "Internet Core Protocols" (O'Rilley) every icmp family plus subtypes plus a bunch of tcp flags etc. is describrd there. cheers, chris On Wednesday 24 January 2001 05:37, Rick Green wrote:
On Tue, 23 Jan 2001, dprocc wrote:
Are these the definitions you mean? #define ICMP_ECHOREPLY 0 /* Echo Reply */ #define ICMP_DEST_UNREACH 3 /* Destination Unreachable */ #define ICMP_SOURCE_QUENCH 4 /* Source Quench */ #define ICMP_REDIRECT 5 /* Redirect (change route) */ #define ICMP_ECHO 8 /* Echo Request */
and so forth
I took this from the kernel source tree in: /usr/data/src/linux-2.2.13.SuSE/include/net/icmp.h
I've got a good description of the basic ICMP types in Ziegler's book "Linux Firewalls", but I haven't found a definition of the message sub-types. It's probably in the Comer books, by my copy is in storage at the moment. It's probably in an RFC, and I have all of them loaded on my system, but I don't know which number is the most recent index. I haven't had any luck fishing. (Wouldn't it be nice if the kind folks at SuSE included a link in that RPM called INDEX, pointing to the most recent index/status RFC.)
'man ipchains' mentioned getting a list via 'ipchains -h icmp', which returned the following, in part:
destination-unreachable network-unreachable host-unreachable protocol-unreachable port-unreachable fragmentation-needed source-route-failed network-unknown host-unknown network-prohibited host-prohibited TOS-network-unreachable TOS-host-unreachable communication-prohibited host-precedence-violation precedence-cutoff
So now I got the names, I just need the definitions!
My understanding at this point is that ICMP destination unreachable (port unreachable) is essentially the difference between -j DENY and -j REJECT. A DENY'd packet is just dropped on the floor, while a REJECTed packet returns ICMP port unreachable. Somebody please tell me if I'm on the right track here! So I'm confused when it appears to me that SuSEfirewall is dropping all outgoing ICMP 3's except 'fragmentation needed' and 'communication prohibited'. So there would be no external difference between a DENY and a REJECT, right?
I just posted a similar question about these DENYs to the list, so sorry about the duplication. I am very interested to hear what the Destination Unreachable packets do for the ISP and for attackers.
A portscanner will get NO response, and will have to wait for a timeout, if packets are dropped, but will get an immediate ICMP destination unreachable if they are REJECTed. Steve Gibson, on his Shields Up! site (www.grc.com - publicly available portscanner) seems to think the stealth approach of no response is better protection. On the other hand, I'd rather be polite with those hosts that I'm intending to communicate with.
FURTHER RESEARCH:
Still trying to understand what's going on under the covers as I send mail, I ran tcpdump as I sent an e-mail, then viewed the resulting file with ethereal. I'm finding this to be a real educational tool! Ethereal maps out and interprets all the bits of each packet, so I'm learning bunches about the protocols. I found out that the ICMP destination unreachable was in response to my ISP's mail relay host attempting to connect to my ident server. This sounds like a reasonable behavior. But I'm not running an ident server, because I'd rather give out as little information as possible.
I'm now thinking that it's time for me to graduate to a 2.4 kernel and iptables. I recently read something about 'stateful' rules in iptables, so I could conceivably have a default DENY for ident, yet open up a temporary ACCEPT for a specific IP address when I see an outgoing TCP SYN towards that IP address's mail (or dns) server. Kewl. Has anybody successfully upgraded SuSE 6.4 to kernel 2.4? Or would I be better off starting with a fresh SuSE 7.0 system?
-- Rick Green
--------------------------------------------------------------------- To unsubscribe, e-mail: suse-security-unsubscribe@suse.com For additional commands, e-mail: suse-security-help@suse.com
On Tue, 23 Jan 2001, Rick Green wrote:
On Tue, 23 Jan 2001, dprocc wrote:
Are these the definitions you mean? #define ICMP_ECHOREPLY 0 /* Echo Reply */ #define ICMP_DEST_UNREACH 3 /* Destination Unreachable */ #define ICMP_SOURCE_QUENCH 4 /* Source Quench */ #define ICMP_REDIRECT 5 /* Redirect (change route) */ #define ICMP_ECHO 8 /* Echo Request */
and so forth
I took this from the kernel source tree in: /usr/data/src/linux-2.2.13.SuSE/include/net/icmp.h
I've got a good description of the basic ICMP types in Ziegler's book "Linux Firewalls", but I haven't found a definition of the message sub-types.
The sub-types (aka codes ?) were listed in the same C header, but I errantly posted the wrong path. Look at /usr/data/src/linux-2.2.13.SuSE/include/linux/icmp.h to find /* Codes for UNREACH. */ #define ICMP_NET_UNREACH 0 /* Network Unreachable */ #define ICMP_HOST_UNREACH 1 /* Host Unreachable */ #define ICMP_PROT_UNREACH 2 /* Protocol Unreachable */ and so on. Now you can compare the kernel implementation to the RFCs definitions if you have the inclination. dproc
On Tue, 23 Jan 2001, Rick Green wrote:
Can someone point me to the RFC that defines all the ICMP sub-types?
The Internet Control Message Protocol was published 1981 in RFC 792 and was later extended in RFC 1256. 1983 it was included to the DOD Military Standard Protocols. My (german) reference is: 'Mathias Hein: TCP/IP' (Datacom), which has a whole chapter on ICPM, but I have seen several even more detailed books on this subject in technical bookshops. Erich
Hi, On Wed, 24 Jan 2001, dproc wrote:
I just posted a similar question about these DENYs to the list, so sorry about the duplication. I am very interested to hear what the Destination Unreachable packets do for the ISP and for attackers.
a very good description about ICMP is http://www.sys-security.com/archive/papers/ICMP_Scanning_v2.5.pdf Regards, Peter
participants (7)
-
Chris Wahl -
dproc@dol.net -
dprocc
-
erich@mmf.at -
Peter Redecker -
Raphael Gray -
Rick Green