diff mbox series

drop excessive ICMP ping traffic to the firewall

Message ID	a551345c-2fee-1b9d-6858-c415d8229092@ipfire.org
State	Dropped
Headers	To: "IPFire: Development-List" <development@lists.ipfire.org> From: =?utf-8?q?Peter_M=C3=BCller?= <peter.mueller@ipfire.org> Subject: [PATCH] drop excessive ICMP ping traffic to the firewall Organization: IPFire.org Message-ID: <a551345c-2fee-1b9d-6858-c415d8229092@ipfire.org> Date: Thu, 04 Jul 2019 17:31:00 +0000 MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Language: en-US Content-Transfer-Encoding: 8bit Precedence: list Errors-To: development-bounces@lists.ipfire.org Sender: "Development" <development-bounces@lists.ipfire.org>
Series	drop excessive ICMP ping traffic to the firewall \| drop excessive ICMP ping traffic to the firewall

Commit Message

Peter Müller July 5, 2019, 3:31 a.m. UTC

  pings are replied to for diagnostic reasons only. As unlimited
response generation may open up a (D)DoS attack surface for
both external and internal networks, dropping excessive traffic
is reasonable.

Signed-off-by: Peter Müller <peter.mueller@ipfire.org>
---
 src/initscripts/system/firewall | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

Comments

Michael Tremer July 5, 2019, 4:18 a.m. UTC | #1

Hi,

> On 4 Jul 2019, at 18:31, Peter Müller <peter.mueller@ipfire.org> wrote:
> 
> pings are replied to for diagnostic reasons only. As unlimited
> response generation may open up a (D)DoS attack surface for
> both external and internal networks, dropping excessive traffic
> is reasonable.

IPFire won’t do this. We have this configuration in place to avoid this which also works for any other kind of ICMP message (or at least what is selected by the mask):

net.ipv4.icmp_echo_ignore_broadcasts = 1
net.ipv4.icmp_ignore_bogus_error_responses = 1
net.ipv4.icmp_ratelimit = 1000
net.ipv4.icmp_ratemask = 6168

This is from /etc/sysctl.conf.

So do you still want the patch?

-Michael

> 
> Signed-off-by: Peter Müller <peter.mueller@ipfire.org>
> ---
> src/initscripts/system/firewall | 6 ++++--
> 1 file changed, 4 insertions(+), 2 deletions(-)
> 
> diff --git a/src/initscripts/system/firewall b/src/initscripts/system/firewall
> index b3483a744..622d7de4e 100644
> --- a/src/initscripts/system/firewall
> +++ b/src/initscripts/system/firewall
> @@ -214,10 +214,12 @@ iptables_init() {
> 	iptables -N IPTVFORWARD
> 	iptables -A FORWARD -j IPTVFORWARD
> 
> -	# Allow to ping the firewall.
> +	# Allow non-excessive pings to the firewall
> 	iptables -N ICMPINPUT
> 	iptables -A INPUT -j ICMPINPUT
> -	iptables -A ICMPINPUT -p icmp --icmp-type 8 -j ACCEPT
> +	iptables -A ICMPINPUT -p icmp --icmp-type 8 -m limit --limit 100/second -j ACCEPT
> +	iptables -A ICMPINPUT -p icmp --icmp-type 8 -m limit --limit 10/minute -j LOG --log-prefix "DROP_PINGFLOOD " -m comment --comment "DROP ping flood"
> +	iptables -A ICMPINPUT -p icmp --icmp-type 8 -j DROP
> 
> 	# Accept everything on loopback
> 	iptables -N LOOPBACK
> -- 
> 2.16.4
>

Peter Müller July 5, 2019, 4:32 a.m. UTC | #2

Hello Michael,

> Hi,
> 
>> On 4 Jul 2019, at 18:31, Peter Müller <peter.mueller@ipfire.org> wrote:
>>
>> pings are replied to for diagnostic reasons only. As unlimited
>> response generation may open up a (D)DoS attack surface for
>> both external and internal networks, dropping excessive traffic
>> is reasonable.
> 
> IPFire won’t do this. We have this configuration in place to avoid this which also works for any other kind of ICMP message (or at least what is selected by the mask):
> 
> net.ipv4.icmp_echo_ignore_broadcasts = 1
> net.ipv4.icmp_ignore_bogus_error_responses = 1
> net.ipv4.icmp_ratelimit = 1000
> net.ipv4.icmp_ratemask = 6168
> 
> This is from /etc/sysctl.conf.
I was unaware of this configuration. The rate limit of 1000
might be a bit too large for home users, depending on how
many other ICMP packets need to be processed or sent.

Anyway, it's good to have these directives around. :-)
> 
> So do you still want the patch?
No, thank you.

Best regards,
Peter Müller
> 
> -Michael
> 
>>
>> Signed-off-by: Peter Müller <peter.mueller@ipfire.org>
>> ---
>> src/initscripts/system/firewall | 6 ++++--
>> 1 file changed, 4 insertions(+), 2 deletions(-)
>>
>> diff --git a/src/initscripts/system/firewall b/src/initscripts/system/firewall
>> index b3483a744..622d7de4e 100644
>> --- a/src/initscripts/system/firewall
>> +++ b/src/initscripts/system/firewall
>> @@ -214,10 +214,12 @@ iptables_init() {
>> 	iptables -N IPTVFORWARD
>> 	iptables -A FORWARD -j IPTVFORWARD
>>
>> -	# Allow to ping the firewall.
>> +	# Allow non-excessive pings to the firewall
>> 	iptables -N ICMPINPUT
>> 	iptables -A INPUT -j ICMPINPUT
>> -	iptables -A ICMPINPUT -p icmp --icmp-type 8 -j ACCEPT
>> +	iptables -A ICMPINPUT -p icmp --icmp-type 8 -m limit --limit 100/second -j ACCEPT
>> +	iptables -A ICMPINPUT -p icmp --icmp-type 8 -m limit --limit 10/minute -j LOG --log-prefix "DROP_PINGFLOOD " -m comment --comment "DROP ping flood"
>> +	iptables -A ICMPINPUT -p icmp --icmp-type 8 -j DROP
>>
>> 	# Accept everything on loopback
>> 	iptables -N LOOPBACK
>> -- 
>> 2.16.4
>>
>

diff mbox series

Patch

diff --git a/src/initscripts/system/firewall b/src/initscripts/system/firewall
index b3483a744..622d7de4e 100644
--- a/src/initscripts/system/firewall
+++ b/src/initscripts/system/firewall
@@ -214,10 +214,12 @@  iptables_init() {
 	iptables -N IPTVFORWARD
 	iptables -A FORWARD -j IPTVFORWARD
 
-	# Allow to ping the firewall.
+	# Allow non-excessive pings to the firewall
 	iptables -N ICMPINPUT
 	iptables -A INPUT -j ICMPINPUT
-	iptables -A ICMPINPUT -p icmp --icmp-type 8 -j ACCEPT
+	iptables -A ICMPINPUT -p icmp --icmp-type 8 -m limit --limit 100/second -j ACCEPT
+	iptables -A ICMPINPUT -p icmp --icmp-type 8 -m limit --limit 10/minute -j LOG --log-prefix "DROP_PINGFLOOD " -m comment --comment "DROP ping flood"
+	iptables -A ICMPINPUT -p icmp --icmp-type 8 -j DROP
 
 	# Accept everything on loopback
 	iptables -N LOOPBACK