ICMP firewall problem

LeftyTs · July 4, 2018, 12:40am

I am trying to stop some icmp traffic here but I am having some firewall trouble with it.

/ip firewall filter
add action=accept chain=input connection-state=established,related,untracked in-interface-list=WAN
add action=drop chain=input connection-state=invalid in-interface-list=WAN
add action=accept chain=input in-interface-list=WAN port=22 protocol=tcp src-address-list=trustednets
add action=accept chain=input in-interface-list=WAN port=500,1701,4500 protocol=udp
add action=accept chain=input in-interface-list=WAN protocol=ipsec-esp
add action=jump chain=input in-interface-list=WAN jump-target=icmp protocol=icmp
add action=drop chain=input in-interface-list=WAN
add action=accept chain=forward connection-state=established,related,untracked
add action=drop chain=forward connection-state=invalid
add action=drop chain=forward connection-nat-state=!dstnat connection-state=new in-interface-list=WAN
add action=jump chain=forward jump-target=icmp protocol=icmp
add action=drop chain=icmp fragment=yes protocol=icmp
add action=accept chain=icmp comment="Type 0, Echo reply" icmp-options=0 protocol=icmp
add action=accept chain=icmp comment="Type 3, Code 4, Fragmentation needed and DF set" icmp-options=3:4 protocol=icmp
add action=accept chain=icmp comment="Type 4, Source quench" icmp-options=4 protocol=icmp
add action=accept chain=icmp comment="Type 8, Echo" icmp-options=8 protocol=icmp
add action=accept chain=icmp comment="Type 11, Code 0, Time to live exceeded in transit" disabled=yes icmp-options=11:0 protocol=icmp
add action=accept chain=icmp comment="Type 12, Parameter problem" icmp-options=12 protocol=icmp
add action=drop chain=icmp

When I try to do icmp tracerouting behind the firewall it works weather icmp-option=11:0 is enabled or disabled in the icmp forward chain. The whole icmp chain actually does not seem to work at all. What am I missing?

Anumrak · July 4, 2018, 6:32am

Cause in tracerouting, in first ICMP packet TTL=1.

idlemind · July 4, 2018, 12:44pm

The JUMP to your ICMP chain is after an accept for related and established. It’s almost certainly getting accepted there.

That said, don’t block TTL exceeded messages unless you like making troubleshooting harder on yourself. Also you may need to not decrement TTL on all connections to make it “invisible” (* * *) on traceroute. Personally, I see only a “checklist” risk when blocking things within ICMP but that’s me. Rate limiting makes more sense. I also don’t know if there is a way to squelch the TTL exceeded message from being generated by to underlying OS (RouterOS) other than it being a by product of not decrementing TTL. I’m not 100% certain that the firewall filter has that option. Here we’d again be talking about traceroute sourced from your LAN. Not sent inward to your LAN. I’m pretty sure I’m ok trusting my users to execute a traceroute. Not to mention how infuriating it is to troubleshoot a stock ASA that drops it and ping inside to out by default. #offmysoapboxnow