From mboxrd@z Thu Jan 1 00:00:00 1970 From: Peter =?utf-8?q?M=C3=BCller?= To: development@lists.ipfire.org Subject: Re: [PATCH] drop excessive ICMP ping traffic to the firewall Date: Thu, 04 Jul 2019 18:32:00 +0000 Message-ID: <8424c54e-4821-b378-c2df-a122a8c719ff@ipfire.org> In-Reply-To: MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="===============7007989519937892470==" List-Id: --===============7007989519937892470== Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Hello Michael, > Hi, >=20 >> On 4 Jul 2019, at 18:31, Peter M=C3=BCller wr= ote: >> >> pings are replied to for diagnostic reasons only. As unlimited >> response generation may open up a (D)DoS attack surface for >> both external and internal networks, dropping excessive traffic >> is reasonable. >=20 > IPFire won=E2=80=99t do this. We have this configuration in place to avoid = this which also works for any other kind of ICMP message (or at least what is= selected by the mask): >=20 > net.ipv4.icmp_echo_ignore_broadcasts =3D 1 > net.ipv4.icmp_ignore_bogus_error_responses =3D 1 > net.ipv4.icmp_ratelimit =3D 1000 > net.ipv4.icmp_ratemask =3D 6168 >=20 > This is from /etc/sysctl.conf. I was unaware of this configuration. The rate limit of 1000 might be a bit too large for home users, depending on how many other ICMP packets need to be processed or sent. Anyway, it's good to have these directives around. :-) >=20 > So do you still want the patch? No, thank you. Best regards, Peter M=C3=BCller >=20 > -Michael >=20 >> >> Signed-off-by: Peter M=C3=BCller >> --- >> src/initscripts/system/firewall | 6 ++++-- >> 1 file changed, 4 insertions(+), 2 deletions(-) >> >> diff --git a/src/initscripts/system/firewall b/src/initscripts/system/fire= wall >> index b3483a744..622d7de4e 100644 >> --- a/src/initscripts/system/firewall >> +++ b/src/initscripts/system/firewall >> @@ -214,10 +214,12 @@ iptables_init() { >> iptables -N IPTVFORWARD >> iptables -A FORWARD -j IPTVFORWARD >> >> - # Allow to ping the firewall. >> + # Allow non-excessive pings to the firewall >> iptables -N ICMPINPUT >> iptables -A INPUT -j ICMPINPUT >> - iptables -A ICMPINPUT -p icmp --icmp-type 8 -j ACCEPT >> + iptables -A ICMPINPUT -p icmp --icmp-type 8 -m limit --limit 100/second = -j ACCEPT >> + iptables -A ICMPINPUT -p icmp --icmp-type 8 -m limit --limit 10/minute -= j LOG --log-prefix "DROP_PINGFLOOD " -m comment --comment "DROP ping flood" >> + iptables -A ICMPINPUT -p icmp --icmp-type 8 -j DROP >> >> # Accept everything on loopback >> iptables -N LOOPBACK >> --=20 >> 2.16.4 >> >=20 --=20 The road to Hades is easy to travel. -- Bion of Borysthenes --===============7007989519937892470==--