Voellig falsch ist es eine Firewall so zu konfigurieren das ICMP ganz gefiltert wird, da ICMP zur Fehlersuche notwendig ist aber auch weil Informationen ueber den Verbindungszustand ueber ICMP uebermittelt werden. Filtern von ICMP behindert also die Fehlersuche und verlangsamt unter Umstaenden Netzwerkanwendungen. Es gibt zwar durchaus Angriffe die via ICMP Funktionieren aber ICMP ist grundsaetzlich kein boeses Protokoll.
Type Name ---- ------------------------- 0 Echo Reply 1 Unassigned 2 Unassigned 3 Destination Unreachable 4 Source Quench 5 Redirect 6 Alternate Host Address 7 Unassigned 8 Echo 9 Router Advertisement 10 Router Selection 11 Time Exceeded 12 Parameter Problem 13 Timestamp 14 Timestamp Reply 15 Information Request 16 Information Reply 17 Address Mask Request 18 Address Mask Reply 19 Reserved (for Security) 20-29 Reserved (for Robustness Experiment) 30 Traceroute 31 Datagram Conversion Error 32 Mobile Host Redirect 33 IPv6 Where-Are-You 34 IPv6 I-Am-Here 35 Mobile Registration Request 36 Mobile Registration Reply 37 Domain Name Request 38 Domain Name Reply 39 SKIP 40 Photuris 41-255 Reserved
Hier ein Vorschlag zur IPFW Konfiguration um ICMP nicht komplett zu verwerfen sondern nach ICMP Typen zu Filtern
# allow useful icmp $CMD add deny icmp from any to any icmptypes 13 $CMD add deny icmp from any to any icmptypes 14 $CMD add pass icmp from any to any icmptypes 0 keep-state $CMD add pass icmp from any to any icmptypes 3 keep-state $CMD add pass icmp from any to any icmptypes 4 keep-state $CMD add pass icmp from any to any icmptypes 5 keep-state $CMD add pass icmp from any to any icmptypes 8 keep-state $CMD add pass icmp from any to any icmptypes 11 keep-state $CMD add pass icmp from any to any icmptypes 30 keep-state $CMD add pass icmp from any to any icmptypes 31 keep-state $CMD add deny icmp from any to any