pings are replied to for diagnostic reasons only. As unlimited response generation may open up a (D)DoS attack surface for both external and internal networks, dropping excessive traffic is reasonable.
Signed-off-by: Peter Müller peter.mueller@ipfire.org --- src/initscripts/system/firewall | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-)
diff --git a/src/initscripts/system/firewall b/src/initscripts/system/firewall index b3483a744..622d7de4e 100644 --- a/src/initscripts/system/firewall +++ b/src/initscripts/system/firewall @@ -214,10 +214,12 @@ iptables_init() { iptables -N IPTVFORWARD iptables -A FORWARD -j IPTVFORWARD
- # Allow to ping the firewall. + # Allow non-excessive pings to the firewall iptables -N ICMPINPUT iptables -A INPUT -j ICMPINPUT - iptables -A ICMPINPUT -p icmp --icmp-type 8 -j ACCEPT + iptables -A ICMPINPUT -p icmp --icmp-type 8 -m limit --limit 100/second -j ACCEPT + iptables -A ICMPINPUT -p icmp --icmp-type 8 -m limit --limit 10/minute -j LOG --log-prefix "DROP_PINGFLOOD " -m comment --comment "DROP ping flood" + iptables -A ICMPINPUT -p icmp --icmp-type 8 -j DROP
# Accept everything on loopback iptables -N LOOPBACK
Hi,
On 4 Jul 2019, at 18:31, Peter Müller peter.mueller@ipfire.org wrote:
pings are replied to for diagnostic reasons only. As unlimited response generation may open up a (D)DoS attack surface for both external and internal networks, dropping excessive traffic is reasonable.
IPFire won’t do this. We have this configuration in place to avoid this which also works for any other kind of ICMP message (or at least what is selected by the mask):
net.ipv4.icmp_echo_ignore_broadcasts = 1 net.ipv4.icmp_ignore_bogus_error_responses = 1 net.ipv4.icmp_ratelimit = 1000 net.ipv4.icmp_ratemask = 6168
This is from /etc/sysctl.conf.
So do you still want the patch?
-Michael
Signed-off-by: Peter Müller peter.mueller@ipfire.org
src/initscripts/system/firewall | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-)
diff --git a/src/initscripts/system/firewall b/src/initscripts/system/firewall index b3483a744..622d7de4e 100644 --- a/src/initscripts/system/firewall +++ b/src/initscripts/system/firewall @@ -214,10 +214,12 @@ iptables_init() { iptables -N IPTVFORWARD iptables -A FORWARD -j IPTVFORWARD
- # Allow to ping the firewall.
- # Allow non-excessive pings to the firewall iptables -N ICMPINPUT iptables -A INPUT -j ICMPINPUT
- iptables -A ICMPINPUT -p icmp --icmp-type 8 -j ACCEPT
iptables -A ICMPINPUT -p icmp --icmp-type 8 -m limit --limit 100/second -j ACCEPT
iptables -A ICMPINPUT -p icmp --icmp-type 8 -m limit --limit 10/minute -j LOG --log-prefix "DROP_PINGFLOOD " -m comment --comment "DROP ping flood"
iptables -A ICMPINPUT -p icmp --icmp-type 8 -j DROP
# Accept everything on loopback iptables -N LOOPBACK
-- 2.16.4
Hello Michael,
Hi,
On 4 Jul 2019, at 18:31, Peter Müller peter.mueller@ipfire.org wrote:
pings are replied to for diagnostic reasons only. As unlimited response generation may open up a (D)DoS attack surface for both external and internal networks, dropping excessive traffic is reasonable.
IPFire won’t do this. We have this configuration in place to avoid this which also works for any other kind of ICMP message (or at least what is selected by the mask):
net.ipv4.icmp_echo_ignore_broadcasts = 1 net.ipv4.icmp_ignore_bogus_error_responses = 1 net.ipv4.icmp_ratelimit = 1000 net.ipv4.icmp_ratemask = 6168
This is from /etc/sysctl.conf.
I was unaware of this configuration. The rate limit of 1000 might be a bit too large for home users, depending on how many other ICMP packets need to be processed or sent.
Anyway, it's good to have these directives around. :-)
So do you still want the patch?
No, thank you.
Best regards, Peter Müller
-Michael
Signed-off-by: Peter Müller peter.mueller@ipfire.org
src/initscripts/system/firewall | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-)
diff --git a/src/initscripts/system/firewall b/src/initscripts/system/firewall index b3483a744..622d7de4e 100644 --- a/src/initscripts/system/firewall +++ b/src/initscripts/system/firewall @@ -214,10 +214,12 @@ iptables_init() { iptables -N IPTVFORWARD iptables -A FORWARD -j IPTVFORWARD
- # Allow to ping the firewall.
- # Allow non-excessive pings to the firewall iptables -N ICMPINPUT iptables -A INPUT -j ICMPINPUT
- iptables -A ICMPINPUT -p icmp --icmp-type 8 -j ACCEPT
iptables -A ICMPINPUT -p icmp --icmp-type 8 -m limit --limit 100/second -j ACCEPT
iptables -A ICMPINPUT -p icmp --icmp-type 8 -m limit --limit 10/minute -j LOG --log-prefix "DROP_PINGFLOOD " -m comment --comment "DROP ping flood"
iptables -A ICMPINPUT -p icmp --icmp-type 8 -j DROP
# Accept everything on loopback iptables -N LOOPBACK
-- 2.16.4
-
Michael Tremer -
Peter Müller