|
Home > Archive > CCNP > July 2001 > Stopping external ICMP requests.
You are viewing an archived Text-only version of the thread.
To view this thread in it's original format and/or if you want to reply to
this thread please [click here]
| Author |
Stopping external ICMP requests.
|
|
| beenframed 2001-07-23, 12:35 pm |
| I know how to disable inbound ICMP requests on a firewall but how is that done if there is no firewall in place and I am only using a router?
thanks,
bf- | |
| dmaftei 2001-07-23, 12:48 pm |
| Router(config)#access-list 111 deny icmp any any
Router(config)#access-list 111 permit ip any any
Apply inbound on the interface you want to protect. You can fine tune the "deny icmp" with icmp message types. Try a "?" at the end of the first command. Test it before you put it on your production routers (and keep a console ready  ) | |
| depamo 2001-07-23, 1:02 pm |
| If you have outside management that needs to use ICMP to track your network for those reasons you would want insure that you get their IP Addresses or the group of addresses that they would come from. Otherwise you would use an Access list applied to the interface that connects to the outside world.
Here is the syntax:
access-list access-list-number {deny | permit} protocol source
source-wildcard destination destination-wildcard [precedence
precedence] [tos tos] [established] [log]
(From global config, first allows you Network Management people through, second keeps the rest from passing ICMP through, lastly pass the rest of the traffic through)
access-list 102 permit icmp <NM IP Network Here> <Matching wild card> 0.0.0.0 255.255.255.255
access-list 102 deny icmp any any
access-list 102 permit any any
goto your external facing interface from global configuration and apply as an inboud filter.
access-group 102 in
pretty simple stuff. Remeber that if you are doing this on your home system, some program will use ping to verify your responsivness, some games and Napster. Also your router will have to process switch traffic to check it against the access lists. | |
| doctorcisco 2001-07-25, 11:47 am |
| quote:
Originally posted by depamo
Remeber that if you are doing this on your home system, some program will use ping to verify your responsivness, some games and Napster. Also your router will have to process switch traffic to check it against the access lists.
Also remember:
1) No internal users (including you, of course) will be able to use ping or traceroute through that interface; the replies will never make it back.
2) Users will never get destination unreachable, source quench, or any other ICMP messages from beyond that interface; this could break some applications and cause other interesting TCP and/or IP issues. (What exactly would happen if you have more bandwidth than an FTP server you're uploading to and source quench messages never got to you from the server? I don't know the answer ....)
3) You are still susceptible to a DOS or DDOS attack; the attacker can flood your link with inbound ICMP traffic even if the router isn't letting it through. I once had an unfirewalled site under DDOS attack, and the attacker filled a T1 with inbound pings even after I put a similar filter in place and the site wasn't answering. I had to have the ISP put a filter on the router interface at the other end to recover use of the link.
Just by the way, the 3 IP addresses this attack came from were all home users with DSL or cable modems; all 3 were hacked and used as platforms by the (unknown) actual attacker. If you have DSL or cable, PLEASE protect your equipment!
FWIW,
doctorcisco | |
| Retired-Mod 2001-07-25, 5:18 pm |
| And the reason the Doc's T1 was vulnerable was that the attack was not addressed until it reached his router. This is bad for two reasons. First his T1 is flooded with this traffic and secondly his router (depending on model) has a good chance of being overwhelmed (cpu usage) because it has to process every packet before denying and dropping it with the access-list. This is why it is common practice to alert the ISP and let them handle it up stream from you on their more powerful equipment.
Nice answer Doc and sorry ya got attacked!
Yankee | |
| beenframed 2001-07-25, 8:38 pm |
| wow. That was an educational thread.
Thanks all. | |
| depamo 2001-07-26, 8:16 am |
| Protect your home site, putting software on your computer is not enough usually. Remeber if you just use software, they have alreay reached your computer, have gone up the protocol stack to where the software has identified an issue. Anything at Layer 4 or higher in the OSI model is bad news!! Cable and DSL routers are so cheap right now (one months cable bill, $100.00) you would be kidding yourself if you didn't get one. Most you can just put into place and not even have to program it at all. You have services also, they usually have DMZ settings and port forwarding capabilities. You also get the great fun of a full NAT (actually more like a PAT) so you can hook up all your computers on one line. VPN pass through is also a big thing to look for. Don't worry about the 100Mb/s switches on them, remeber that cable modems only run at 10Mb/s!!
Not for everyone but after getting hacked for the upteenth time at home with firewall software on my computer, I had to do something, I haven't been hit lately (over 4 months) since I got the cable router. I do have a web site up and running that I pass SMTP, HTTP, HTTPS, and DNS through to the web server and haven't had a problem yet. Pass ports through to my other computer for using web phone and stuff also.
Good luck and | |
| dmaftei 2001-07-26, 9:07 am |
| quote:
Originally posted by depamo
I do have a web site up and running...
Won't share the URL with us?! | |
| depamo 2001-07-27, 9:42 am |
| I do have my reasons, mostly just hate having to re-load all the software and I been having such good luck lately.
Until I get the firewall configured correctly, would really hate to have a professional level DOS or DDOS from someone for kicks.
There is also some items on it that I would like to remain unseen. |
|
|
|
|