Shortcuts

Search Users Guide

5.3.2. ICMP and ICMP6 Service Objects
Prev Next

5.3.2. ICMP and ICMP6 Service Objects

The ICMP service object is a generalized representation of the ICMP protocol. ICMP packets are often used to communicate error messages that are acted upon by either the IP layer or higher-layer protocols (TCP or UDP). ICMP can also be used as a simple query protocol.

Firewall Builder has service objects for both IPv4 and IPv6. ICMP service objects for IPv6 are called ICMP6 service. The standard ICMP service objects that come with Firewall Builder appear in the Standard Objects library, in the Services/ICMP branch. User-defined ICMP and ICMP6 service objects appear in the library User in the same Services/ICMP branch.

Standard service objects are not editable. However, you can copy and paste a copy of a service object into the User tree and edit it there, or you can right-click the ICMP folder in the User tree and select New ICMP Service to create a service object from scratch.

Figure 5.101. 


As a firewall administrator, you need to understand the nature and purpose of ICMP in order to properly configure the firewall to block unwanted ICMP messages while permitting useful ones.

ICMP packets have two header fields that distinguish particular ICMP messages: the type and code fields. There are many different types and classes of ICMP messages. See http://www.iana.org/assignments/icmp-parameters for IPv4 types and classes and http://www.iana.org/assignments/icmpv6-parameters (http://www.iana.org/assignments/icmpv6-parameters) for IPv6 types and classes.

Any combination of the type and code values is allowed in the ICMP or ICMP6 object. For example, the following two screen shots illustrate definitions of ICMP and ICMP6 objects for the request packet of the well-known ping protocol. The type codes are different for IPv4 and IPv6 variants, although the code is equal to 0 in both:

Figure 5.102. 


Figure 5.103. 


Both ICMP and ICMP6 allow value "any" in type or code fields. For example, this can be used to build an object to match a family of ICMP messages with the same type but any code:

Figure 5.104. 


Both IPv4 and IPv6 ICMP service dialogs provide the following controls:

  • Name: This is the name of the object.

  • ICMP Type and Code:

    • Type: The ICMP message type. This control consists of a numeric selector that lets you specify the message type. To specify "any" type, set the control to any.

    • Code: The ICMP message code. This control consists of a numeric selector that lets you specify the message code. To specify "any" code, set the control to any.

  • Comment: This is a free-style text field used for comments.

5.3.2.1. Using ICMP and ICMP6 Service Objects in Rules

Consider the following rule where we use two ICMP objects, one for IPv4 and another for IPv6:

Figure 5.105. 


If the rule set this rule belongs to is configured as combined IPv4 and IPv6, then policy compiler will pick the ICMP service that matches address family on each separate pass, one for IPv4 and then for IPv6. Here is what we get for iptables: 

# ================ IPv4

# Rule 0 (global)
# 
$IPTABLES -A FORWARD  -i + -p icmp  -m icmp  --icmp-type 8/0 \
     -m state --state NEW  -j ACCEPT 
 
# ================ IPv6

# Rule 0 (global)
# 
$IP6TABLES -A FORWARD  -i + -p ipv6-icmp  -m icmp6 --icmpv6-type 128/0 \
     -m state --state NEW  -j ACCEPT

Here is generated PF 4.x configuration: 


# Rule  0 (global)
# 
pass in   quick inet proto icmp  from any  to any icmp-type 8 code 0

# Rule  0 (global)
# 
pass in   quick inet6 proto icmp6  from any  to any
Prev  Up  Next
5.3. Service Objects  Home  5.3.3. TCP Service
 

Copyright © 2000-2012 NetCitadel, Inc. All rights reserved.
 Using free CSS Templates.