[EMAIL PROTECTED] wrote:
> I have some questions about ICMP and firewalling ...
>
> I read a old mail in which Glynn recommended to allow forwarding IMCP service 3
> at least...
The term is `type 3'. I'm fairly sure that I wouldn't have referred to
it as `service 3', although we all have bad days.
> 1. The main question is WHY ? and WHICH ones ?
Why: because you need to know about any errors which occur.
In particular, TCP requires ICMP type 3 (destination unreachable)
subtype 4 (fragmentation required but DF (don't fragment) flag set).
Otherwise:
1. TCP will keep sending out packets with the DF flag set
2. Some intermediate router will keep sending back ICMP `fragmentation
required' errors indicating that the packets need to be smaller.
3. Your firewall discards these errors.
4. TCP keeps sending packets which are too large, so they never get
through.
Also, if you try to connect to a remote address/port which has been
blocked, you won't see the ICMP `destination unreachable' error (type
3, various subtypes), so instead of the client failing quickly, it
will keep trying to establish the connection, until it times out
(after ~189 seconds).
> 2.I take my network book ...
> There are 2 things .. the type and the code : 2 first bytes of the ICMP paquet
> What is the service ?
There isn't a `service'. There's a type and a subtype (code). They are
listed in netinet/ip_icmp.h (and presumably in your book, also).
> Sometimes i see on the firewall this kind of things ...
> 195.115.167.125 > 193.252.141.221: icmp: host 195.115.167.50 unreachable
> [tos :0xc0]
> or [tos:0x10]...
> I guess that "tos" means Type Of Service.. but i don't know to read it ...
The defined flags are:
0x10 Minimise delay
0x08 Maximise throughput
0x04 Maximise reliability
0x02 Minimise cost
I'm not sure about 0xc0, but netinet/ip.h has the following:
/*
* Definitions for IP precedence (also in ip_tos) (hopefully unused)
*/
#define IPTOS_PREC_MASK 0xe0
#define IPTOS_PREC(tos) ((tos) & IPTOS_PREC_MASK)
#define IPTOS_PREC_NETCONTROL 0xe0
#define IPTOS_PREC_INTERNETCONTROL 0xc0
#define IPTOS_PREC_CRITIC_ECP 0xa0
#define IPTOS_PREC_FLASHOVERRIDE 0x80
#define IPTOS_PREC_FLASH 0x60
#define IPTOS_PREC_IMMEDIATE 0x40
#define IPTOS_PREC_PRIORITY 0x20
#define IPTOS_PREC_ROUTINE 0x00
> 4.What is the difference between "ipfwadm" and "ipchain" ?
ipchains is the newer alternative to ipfwadm. 2.1.* includes ipchains
support. There is a patch to 2.0.* for ipchains.
The main advantage of ipchains over ipfwadm is that you can create
`chains' of rules. With ipfwadm, you only have one level of rules.
Each rule either accepts, rejects or denies a packet. With ipchains, a
rule can `jump' to another chain. Each chain can then `conditionally'
accept a packet, by jumping to another rule which may in turn accept
or reject it, or jump to yet another chain, and so on.
If you have a firewall setup where you find that you are having to
enumerate the various permutations of a set of conditions, then you
are likely to be able to simplify the setup using ipchains.
--
Glynn Clements <[EMAIL PROTECTED]>
-
To unsubscribe from this list: send the line "unsubscribe linux-net" in
the body of a message to [EMAIL PROTECTED]
