beautypg.com

Filtering on icmp codes 15.7 – Westermo MR Series User Manual

Page 401

background image

401

6622-3201

Web Interface and Command Line Reference Guide

www.westermo.com

Filtering on ICMP Codes

15.7

An ip-object can be followed by an optional [icmp] field. This allows the script to filter packets
based on ICMP codes. ICMP packets are normally used to debug and diagnose a network and can
be extremely useful. However they form part of a low-level protocol and are frequently exploited
by hack ers for attacking networks. For this reason most network administrators will want to
restrict the use of ICMP packets.

The syntax for including ICMP filtering is:

icmp = “icmp-type” icmp-type [“code” decnum]

The icmp-type can be one of the pre-defined strings listed in the following table or the equivalent
decimal numeric value:

ICMP Type

ICMP Value

Unreach

3

Echo

8

Echorep

0

Squench

4

Redir

5

Timex

11

Paramprob

12

Timest

13

Timestrep

14

Inforeq

15

Inforep

16

Maskreq

17

Maskrep

18

Routerad

9

Routersol

10

The following two rules are therefore equivalent:

pass in break end on ppp 0 proto icmp from any to 10.1.2.0/24

icmp-type 0

pass in break end on ppp 0 proto icmp from any to 10.1.2.0/24

icmp-type echorep

Both of these rules allow echo replies to come in from interface ppp 0 if they are addressed to our
example local network address (10.1.2.*).

In addition to having a type, ICMP packets also include an ICMP code field. The filter syntax allows
for the specification of an optional code field after the ICMP type. When specified the code field
must also match. The ICMP code field is specified with a decimal number.

For example, suppose we wish to allow only echo replies and ICMP unreachable type ICMP packets
from interface PPP 0. Then the rules would look something like this:

pass in break end on ppp 0 proto icmp from any to 10.1.2.0/24

icmp-type echorep code 0

pass in break end on ppp 0 proto icmp from any to 10.1.2.0/24

icmp-type unreach code 0 block in break end on ppp 0 proto icmp

The first two rules in this set allow in the ICMP packets that we are willing to permit and the third
rule denies all other ICMP packets in from this interface. Now if we ever expect to see echo replies
in onppp 0 we should allow echo requests out on that interface too. To do that we would have the
rule:

pass out break end on ppp 0 proto icmp icmp-type echo

This manual is related to the following products:
See also other documents in the category Westermo Equipment: