I was reviewing a new MT installation, with which I had installed the icmp filter chain per the 2.9 manual outline on page 446:
add chain=icmp protocol=icmp icmp-options=0:0 action=accept
comment=“drop invalid connections”
add chain=icmp protocol=icmp icmp-options=3:0 action=accept
comment=“allow established connections”
add chain=icmp protocol=icmp icmp-options=3:1 action=accept
comment=“allow already established connections”
add chain=icmp protocol=icmp icmp-options=4:0 action=accept
comment=“allow source quench”
add chain=icmp protocol=icmp icmp-options=8:0 action=accept
comment=“allow echo request”
add chain=icmp protocol=icmp icmp-options=11:0 action=accept
comment=“allow time exceed”
add chain=icmp protocol=icmp icmp-options=12:0 action=accept
comment=“allow parameter bad”
add chain=icmp action=drop comment=“deny all other types”
The very first filter rule seems to be incorrect to me. The comment says “drop invalid connections”, yet the action is “accept”. This seems exactly backward.
However, I’m a relative newb, so I thought I would post this here for clarification.
Comments for the first three are incorrect. Rules are otherwise OK
Regards
Andrew
So the first three rules’ comments should be corrected to something like:
add chain=icmp protocol=icmp icmp-options=0:0 action=accept
comment=“Accept ping reply packets”
add chain=icmp protocol=icmp icmp-options=3:0 action=accept
comment=“Accept destination/net unreachable packets”
add chain=icmp protocol=icmp icmp-options=3:1 action=accept
comment=“Accept destination/host unreachable packets”
Which would make more sense than the ones that are there now?
Would it make sense to actually have a “drop invalid connections” rule for icmp packets preceding this? Or is there a good reason to not put an invalid connections rule for icmp packets?
add chain=ICMP protocol=icmp icmp-options=8:0-255 limit=20,20 action=accept \
comment="8:0 and limit for 5pac/s \(Echo - No Code\)" disabled=no
add chain=ICMP protocol=icmp icmp-options=3:3 limit=30,5 action=accept \
comment="3:3 and limit for 5pac/s \(Port Unreachable\)" disabled=no
add chain=ICMP protocol=icmp icmp-options=11:0 limit=50,20 action=accept \
comment="11:0 and limit for 5pac/s \(TTL Exceeded\)" disabled=no
add chain=ICMP protocol=icmp icmp-options=0:0-255 limit=20,20 action=accept \
comment="0:0 and limit for 5pac/s \(Echo Reply\)" disabled=no
add chain=ICMP protocol=icmp icmp-options=3:0 limit=5,5 action=accept \
comment="3:0 and limit for 5pac/s \(Net Unreachable\)" disabled=no
add chain=ICMP protocol=icmp icmp-options=3:1 limit=5,5 action=accept \
comment="3:1 and limit for 5pac/s \(Host Unreachable\)" disabled=no
add chain=ICMP protocol=icmp icmp-options=3:4 limit=5,5 action=accept \
comment="3:4 and limit for 5pac/s \(Frag Not Needed\)" disabled=no
add chain=ICMP protocol=icmp icmp-options=3:13 limit=5,5 action=accept \
comment="3:13 and limit for 5pac/s" disabled=no
add chain=ICMP protocol=icmp icmp-options=3:10 limit=5,5 action=accept \
comment="3:10 and limit for 5pac/s" disabled=no
add chain=ICMP protocol=icmp limit=1,2 action=log log-prefix="" comment="log \
it" disabled=no
add chain=ICMP protocol=icmp action=drop comment="Drop everything else" \
disabled=no
jump to this chain with proto=icmp in both the forward and input chains.