Modify

Opened 3 years ago

Last modified 3 years ago

#19153 new defect

Default firewall rules do not allow IPv4 traceroute (ICMP)

Reported by: James W Owned by: developers
Priority: normal Milestone: Chaos Calmer 15.05
Component: other Version: Trunk
Keywords: firewall icmp traceroute ipv4 blocked Cc: james.wood@…

Description

In the default /etc/config/firewall file, there are no longer any rules to allow ICMP for IPv4 traffic, thus when trying to perform a traceroute from the router itself it will fail even on the first hop:

traceroute jolt.co.uk
traceroute to jolt.co.uk (162.255.119.254), 30 hops max, 38 byte packets

  • * *
  • * *
  • * *
  • * *
  • * *

Although there is a rule to allow ICMP on IPv6, this is not the case for IPv4. As soon as I added the following rule you can perform traceroutes again (copied from the IPv6 rule and just changing the family to IPv4)

config rule

option src 'wan'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
list icmp_type 'router-solicitation'
list icmp_type 'neighbour-solicitation'
list icmp_type 'router-advertisement'
list icmp_type 'neighbour-advertisement'
option limit '1000/sec'
option target 'ACCEPT'
option name 'Allow-ICMPv4-Input'
option family 'ipv4'

Note: Clients behind the router can traceroute, this is only for the router itself.

Thanks

James

Attachments (0)

Change History (4)

comment:1 Changed 3 years ago by James W

After adding the firewall rules:

traceroute jolt.co.uk
traceroute to jolt.co.uk (162.255.119.254), 30 hops max, 38 byte packets

1 10.0.1.253 (10.0.1.253) 0.291 ms 0.568 ms 0.471 ms
2 cbs1-asht6-2-0-gw.10-1.cable.virginm.net (86.1.xxx.113) 10.385 ms 10.628 ms 7.613 ms
3 manc-core-2a-xe-1003-0.network.virginmedia.net (213.104.242.29) 8.308 ms 11.061 ms 4.571 ms

etc...

comment:2 Changed 3 years ago by cyrus

I cannot reproduce this with the default firewall config (working fine for me) can you tell me if you have mode some additional changes?

Normally outgoing traffic should be allowed and the return traffic is accepted as part of an established connection. The ICMPV6 exceptions are required for e.g. router advertisements which can come unsolicited from external devices.

comment:3 Changed 3 years ago by anonymous

Hi cyrus

Here is the default firewall file - not touched it apart from adding this extra rule. CAn you post your firewall file?

config defaults

option syn_flood 1
option input ACCEPT
option output ACCEPT
option forward REJECT

# Uncomment this line to disable ipv6 rules
# option disable_ipv6 1

config zone

option name lan
list network 'lan'
option input ACCEPT
option output ACCEPT
option forward ACCEPT

config zone

option name wan
list network 'wan'
list network 'wan6'
option input REJECT
option output ACCEPT
option forward REJECT
option masq 1
option mtu_fix 1

config forwarding

option src lan
option dest wan

# We need to accept udp packets on port 68,
# see /ticket/4108.html
config rule

option name Allow-DHCP-Renew
option src wan
option proto udp
option dest_port 68
option target ACCEPT
option family ipv4

# Allow IPv4 ping
config rule

option name Allow-Ping
option src wan
option proto icmp
option icmp_type echo-request
option family ipv4
option target ACCEPT

# Allow DHCPv6 replies
# see /ticket/10381.html
config rule

option name Allow-DHCPv6
option src wan
option proto udp
option src_ip fe80::/10
option src_port 547
option dest_ip fe80::/10
option dest_port 546
option family ipv6
option target ACCEPT

# Allow essential incoming IPv6 ICMP traffic
config rule

option name Allow-ICMPv6-Input
option src wan
option proto icmp
list icmp_type echo-request
list icmp_type echo-reply
list icmp_type destination-unreachable
list icmp_type packet-too-big
list icmp_type time-exceeded
list icmp_type bad-header
list icmp_type unknown-header-type
list icmp_type router-solicitation
list icmp_type neighbour-solicitation
list icmp_type router-advertisement
list icmp_type neighbour-advertisement
option limit 1000/sec
option family ipv6
option target ACCEPT

# Allow essential forwarded IPv6 ICMP traffic
config rule

option name Allow-ICMPv6-Forward
option src wan
option dest *
option proto icmp
list icmp_type echo-request
list icmp_type echo-reply
list icmp_type destination-unreachable
list icmp_type packet-too-big
list icmp_type time-exceeded
list icmp_type bad-header
list icmp_type unknown-header-type
option limit 1000/sec
option family ipv6
option target ACCEPT

# include a file with users custom iptables rules
config include

option path /etc/firewall.user

comment:4 Changed 3 years ago by anonymous

Cyrus,

Just wondering if you managed to replicate this?

Thanks

James

Add Comment

Modify Ticket

Action
as new .
Author


E-mail address and user name can be saved in the Preferences.

 
Note: See TracTickets for help on using tickets.