|
DISCLAIMER: All the information contained in this page, or any linked from it, is provided as is, having no warranty or support of any kind, and is used entirely at your own risk.
RT31x ICMP Filtering
Yes I know, I am totally paranoid, but see something very wrong when anyone on the whole internet can ping my IP address, so something just had to be done to make this go away. Anyway when you implement these filters, you will still be able to use the ping and traceroute (tracert in the Windoze world) tools from any of the workstations attached to the LAN side of the router to query any host on the Internet, but hosts on the Internet will not be able to use these tools on you. Let me qualify this a little, after implementation when someone tried to ping your router, it will just time out, using traceroute the last hop will time out. To the untrained eye its like you are not there. Another advantage in this is that some specific port scans will also fail to find you.
How ping works
While not going into detail about the ICMP protocol, its worth adding a few lines on how ping actually works, as it will help illustrate the filter functions. So, when someone pings you, they send you a ICMP echo request (ICMP message type 8), then you reply (if you can) with a ICMP echo reply (ICMP message type 0). Yes its as simple as that.
What the Filter does.
Now as I talked about above, when someone pings you they send you a ICMP message type 8, and you respond with a ICMP message type 0. So what the filter does is block any ICMP messages of type 8 that come in, while allowing type 0 access. After you do this anyone that tries to ping you, there type 8 message does not get any response, so all they get is timeouts. On the other hand type 8 messages from you are not blocked, nor are the type 0 messages in response to your own pings.
The filter
If you are not sure how to set these up on your router, have a look at the routers user manual which includes extensive doco that will help make things clearer. That said here are the two generic filters that I used.
Filter #: 9,1Filter Type= Generic Filter Rule
Active= Yes
Offset= 23
length= 1
Mask= ff
Value= 01
More= No Log= None
Action Matched= Check Next Rule
Action Not Matched= Forward
Filter #: 9,2
Filter Type= Generic Filter Rule
Active= Yes
Offset= 34
Length= 1
Mask = ff
Value= 08
More= No Log= Action Matched
Action Matched= Drop
Action Not Matched= Forward
How it all works
The first filter checks the protocol type of every incoming packet to see if its type 1 (Yes ICMP), if its not then the packet is sent onto its destination, if its found to be type 1 its sent onto the next rule which checks to see if the ICMP message is of type 8, if so its dropped, if not its sent on its way unmolested. Now you will see that I have use two rules not just one, this is a technical limitation of the firmware in the router, it only allows up to 8 bytes for comparison. For more on the operation of generic filters the user manual has some good texts on the subject.
Links and Related Pages
|