Information on how to create a firewall using ipfw is hard to come by. I’ve found bits and pieces of useful information in various places. I’m working on creating a tutorial on how to configure ipfw for Mac OS X, but in the mean time, here’s some information on the extremely low-level internet packet, ICMP.
ICMP stands for Internet Control Message Protocol and controls some low-level networking functionality in the world of IP. It’s more famous cousins (if such a thing is possible) are UDP and TCP. If you are configuring a firewall to block Denial of Service attacks and to prevent remote exploits, you’ll eventually realize you need to know about ICMP.
Here’s a brief summary of the types of ICMP messages…
ICMP Error Messages
Type 3 | Destination Unreachable | Unable to deliver the datagram to the specified network, host, protocal, or port. Also sent if the datagram needs to be fragmented and the the Don’t Fragment flag is on (used by Path-MTU Discovery). |
---|---|---|
Type 4 | Source Quench | A request to the host to cut back the rate at which it is sending traffic to the internet destination. From spirit.com: “While it makes sense to permit Source Quench messages to public servers, it makes no sense to permit these ICMP messages into your internal networks.” |
Type 5 | Redirect | Advises the originating host to send its traffic directly to a different gateway as this is a shorter path to the destination. |
Type 11 | Time Exceeded | The Time To Live (TTL) for the datagram has been exceeded. To prevent datagrams from traveling around the network forever, a datagrams TTL value is decremented (decreased by 1) each time a host processes a datagram. TRACEROUTE manipulates TTL values to get each host along a route to return ICMP 11 messages. |
Type 12 | Parameter Problem | The received datagram was discarded due to a problem with its header parameters. |
ICMP Query Messages
Type 0 | Echo Reply | The returned message to an echo request (a.k.a. ping.) |
---|---|---|
Type 8 | Echo Request | A request to send an echo reply (a.k.a. ping.) |
Type 13 | Timestamp Request | A request to return timestamps in miliseconds. |
Type 14 | Timestamp Reply | The returned message to a timestamp request. |
Type 15 | Information Request | A request to return the fully specified network address. |
Type 16 | Information Reply | The returned message to a information request. |
Which ICMP to allow in your IPFW firewall
The only essential ICMP traffic you need to allow in and out of your firewall is Type 3 and Type 4. Everything else is either optional or should be blocked.
Type | 0 | 3 | 4 | 5 | 8 | 11 | 12 | 13-16 | other |
---|---|---|---|---|---|---|---|---|---|
IN | OPT1 | ALLOW | ALLOW | DENY | OPT2 | OPT3 | DENY | DENY | DENY |
OUT | OPT2 | ALLOW | ALLOW | DENY | OPT1 | OPT4 | DENY | DENY | DENY |
Key:
OPT — should be set to DENY, unless you want the OPTional functionality described in the specified note
ALLOW — the specfied type should be allowed to connect to the host in the specified direction
DENY — the specfied type should NOT be allowed to connect to the host in the specified direction
Notes:
- To send ping requests, allow type 8 OUT and type 0 IN.
- To respond to ping requests, allow type 8 IN and type 0 OUT.
- To request a traceroute, allow type 11 IN.
- To respond to a traceroute, allow type 11 OUT.
More reading…
Rick Farrow’s ICMP Stands For Trouble was an invaluable read. And RFC 792… not so much.
Comments2
How about the Mac OS X
How about the Mac OS X firewall manager http://www.hanynet.com/waterroof/
I got a hold of the RFC792
I got a hold of the RFC792 ICMP document and agree with you. It is worthless.