Re: [masq] icmp

Sat, 23 Jan 1999 11:43:38 -0500 

[ For the confused: ICMP is the Internet Control Message Protocol, and was
originally specified in RFC 792 which can be found at
http://ds.internic.net/rfc/rfc792.txt or
http://www.kashpureff.org/nic/rfcs/700/rfc792.txt.html ]

> I have been using ip_masq for several months now and but one
> thing still escapes me, does anyone out there know how to
> block ICMP requests from being transmitted back to the host?

A better explanation of the potential problems involved than I could offer:

>From IPCHAINS-HOWTO section 5.2 What not to filter out:
--
ICMP packets are used (among other things) to indicate failure for other
protocols (such as TCP and UDP). `destination-unreachable' packets in
particular. Blocking these packets means that you will never get `Host
unreachable' or `No route to host' errors; any connections will just wait
for a reply that never comes. This is irritating, but rarely fatal.

A worse problem is the role of ICMP packets in MTU discovery. All good TCP
implementations (Linux included) use MTU discovery to try to figure out what
the largest packet that can get to a destination without being fragmented
(fragmentation slows performance, especially when occasional fragments are
lost). MTU discovery works by sending packets with the "Don't Fragment" bit
set, and then sending smaller packets if it gets an ICMP packet indicating
"Fragmentation needed but DF set" (`fragmentation-needed'). This is a type
of `destination-unreachable' packet, and if it is never received, the local
host will not reduce MTU, and performance will be abysmal or non-existent.
--

Another good source of info is "Path MTU Discovery and Filtering ICMP"
http://www.worldgate.com/~marcs/mtu/

But if you still want to do this, presuming firewall is setup in ip-local
something similar to this should work (untested).

using ipfwadm:
  ipfwadm -I -a deny -P icmp -W $1
  # outgoing pings are useless
  ipfwadm -O -a deny -P icmp -W $1

using ipchains:
  ipchains -A input -i $1 -j REJECT -p ICMP
  # outgoing pings are useless
  ipchains -A output -i $1 -j REJECT -p ICMP

If you're using ipchains, try 'ipchains -h icmp' for a listing of ICMP type
names.

Hope this helps,

Lourdes

---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
For daily digest info, email [EMAIL PROTECTED]

Reply via email to