From mboxrd@z Thu Jan  1 00:00:00 1970
From: Michael Tremer <michael.tremer@ipfire.org>
To: development@lists.ipfire.org
Subject: Re: [PATCH] drop excessive ICMP ping traffic to the firewall
Date: Thu, 04 Jul 2019 19:18:07 +0100
Message-ID: <E60A1BAD-3619-47CC-8C2C-D760AB309082@ipfire.org>
In-Reply-To: <a551345c-2fee-1b9d-6858-c415d8229092@ipfire.org>
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="===============7296361685453853095=="
List-Id: <development.lists.ipfire.org>

--===============7296361685453853095==
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable

Hi,

> On 4 Jul 2019, at 18:31, Peter M=C3=BCller <peter.mueller(a)ipfire.org> wro=
te:
>=20
> pings are replied to for diagnostic reasons only. As unlimited
> response generation may open up a (D)DoS attack surface for
> both external and internal networks, dropping excessive traffic
> is reasonable.

IPFire won=E2=80=99t do this. We have this configuration in place to avoid th=
is which also works for any other kind of ICMP message (or at least what is s=
elected by the mask):

net.ipv4.icmp_echo_ignore_broadcasts =3D 1
net.ipv4.icmp_ignore_bogus_error_responses =3D 1
net.ipv4.icmp_ratelimit =3D 1000
net.ipv4.icmp_ratemask =3D 6168

This is from /etc/sysctl.conf.

So do you still want the patch?

-Michael

>=20
> Signed-off-by: Peter M=C3=BCller <peter.mueller(a)ipfire.org>
> ---
> src/initscripts/system/firewall | 6 ++++--
> 1 file changed, 4 insertions(+), 2 deletions(-)
>=20
> diff --git a/src/initscripts/system/firewall b/src/initscripts/system/firew=
all
> index b3483a744..622d7de4e 100644
> --- a/src/initscripts/system/firewall
> +++ b/src/initscripts/system/firewall
> @@ -214,10 +214,12 @@ iptables_init() {
> 	iptables -N IPTVFORWARD
> 	iptables -A FORWARD -j IPTVFORWARD
>=20
> -	# Allow to ping the firewall.
> +	# Allow non-excessive pings to the firewall
> 	iptables -N ICMPINPUT
> 	iptables -A INPUT -j ICMPINPUT
> -	iptables -A ICMPINPUT -p icmp --icmp-type 8 -j ACCEPT
> +	iptables -A ICMPINPUT -p icmp --icmp-type 8 -m limit --limit 100/second -=
j ACCEPT
> +	iptables -A ICMPINPUT -p icmp --icmp-type 8 -m limit --limit 10/minute -j=
 LOG --log-prefix "DROP_PINGFLOOD " -m comment --comment "DROP ping flood"
> +	iptables -A ICMPINPUT -p icmp --icmp-type 8 -j DROP
>=20
> 	# Accept everything on loopback
> 	iptables -N LOOPBACK
> --=20
> 2.16.4
>=20


--===============7296361685453853095==--