Modify

Opened 6 years ago

Closed 6 years ago

Last modified 4 years ago

#11023 closed defect (worksforme)

ICMP is blocked by default

Reported by: jch@… Owned by: developers
Priority: normal Milestone: Barrier Breaker 14.07
Component: base system Version: 10.03.1
Keywords: Cc:

Description

The default firewall rejects unrelated ICMPv4, and allows ICMPv6 only for the INPUT chain, and only for specific types.

I suggest that unrelated ICMP should be allowed in the FORWARD chain, at least for IPv6, possibly with some rate limiting. Blacklisting specific ICMP types is okay, but a whitelisting approach which excludes future types is not.

--jch

Attachments (0)

Change History (4)

comment:1 Changed 6 years ago by jow

  • Resolution set to worksforme
  • Status changed from new to closed

unrelated ICMPv6 *is* allowed, both input and forward, it is also rate limited.
Whitelisted types have been choosen according to RFC4890.

comment:2 Changed 6 years ago by anonymous

I stand corrected. Sorry for the confusion.

What about IPv4?

--jch

comment:3 Changed 6 years ago by jow

Probably needs a src wan / dest * rule for types echo-request and a few other assorted types. Need to search some best practises on which types to allow without introducing too much info leakage.

comment:4 Changed 4 years ago by jow

  • Milestone changed from Attitude Adjustment 12.09 to Barrier Breaker 14.07

Milestone Attitude Adjustment 12.09 deleted

Add Comment

Modify Ticket

Action
as closed .
The resolution will be deleted. Next status will be 'reopened'.
Author


E-mail address and user name can be saved in the Preferences.

 
Note: See TracTickets for help on using tickets.