• Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login
Netgate Discussion Forum
  • Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login

ICMP and UDP problem with pfsense

Scheduled Pinned Locked Moved Firewalling
12 Posts 3 Posters 10.5k Views
Loading More Posts
  • Oldest to Newest
  • Newest to Oldest
  • Most Votes
Reply
  • Reply as topic
Log in to reply
This topic has been deleted. Only users with topic management privileges can see it.
  • T
    torino
    last edited by Aug 14, 2011, 8:14 AM

    Hi everyone,

    i think that it is a known problem, that you can initiate traffic from one
    (forbidden) direction if traffic is generated from the allowed direction for
    ICMP and UDP.

    example:
    FW: block all from WAN, allow all from LAN

    1. with ICMP
    ping from LAN to WAN Port is allowed an working, but you can ping also
    from WAN to LAN because it is allowed by the state
    2. with UDP
    same as 1. ! you can initiate traffic from WAN to LAN by using the same
    Portnumbers from WAN

    This is because the firewall states matches also the incoming traffic by ip
    and portnumber (at UDP).

    is there a way to prevent this behaviour ?

    ICMP can be blocked by detecting the number of the mode (request, reply).
    UDP is more difficult, but there should be a timer that stops the traffic if
    no traffic is initiated from LAN.

    Any solution for this ?

    1 Reply Last reply Reply Quote 0
    • J
      jimp Rebel Alliance Developer Netgate
      last edited by Aug 17, 2011, 8:27 PM

      UDP states are removed if inactive. UDP is a stateless protocol so timers are the only way to fuzz statefulness there.

      I'm failing to see what kind of attack scenario you're dreaming up here. Most source ports are randomized. The odds of someone connecting back to that port and getting something useful are quite slim.

      Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

      Need help fast? Netgate Global Support!

      Do not Chat/PM for help!

      1 Reply Last reply Reply Quote 0
      • T
        torino
        last edited by Aug 19, 2011, 4:44 PM

        Hi,

        yes, with UDP you are right. Sourceports are random and you have to know the UDP ports
        to start this kind of attack.

        ICMP is easy to handle for everyone. You can send big ICMP packets from WAN to LAN, so
        this can affect the PC on the LAN. Or between other Interfaces.

        I checked this behaviour with a small sonicwall TZ200/210 :
        With UDP, there is exactly the same behaviour as with pfsense.
        But with ICMP, no packets could be send from WAN to LAN.

        TMG2010, ASA, ect. blocks complety this forbidden traffic. Maybe that this FW have additional
        filters …. But i do not want to compare pfsense with ASA !

        1 Reply Last reply Reply Quote 0
        • J
          jimp Rebel Alliance Developer Netgate
          last edited by Aug 19, 2011, 4:49 PM

          But you still have to ping from the LAN to that host on the WAN to make it happen - do your users make a habit of pinging rouge sites that would send pack large ICMP packets?

          Restrict your ICMP rule to only allow ICMP echo from LAN users out, and I still fail to see what the actual exploitable problem is in a real-world scenario.

          Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

          Need help fast? Netgate Global Support!

          Do not Chat/PM for help!

          1 Reply Last reply Reply Quote 0
          • T
            torino
            last edited by Aug 22, 2011, 2:41 PM

            i think, that it makes no sense to discuss the users habit. in a real world scenario all traffic should be blocked, which is not explicit allowed. now in this case we have some technical reasons that this kind of traffic is not blocked by the default rule (block all from WAN). so far i have no problems with that because i have an explanation.

            but the important thing is: Is it possible with pfsene to eliminate such kind of traffic ?

            • maybe a configuration hint ?
            • workaround ?
            • is it caused by the design of pfsense / FreeBSD … ?

            thanks for your support.

            1 Reply Last reply Reply Quote 0
            • M
              Metu69salemi
              last edited by Aug 22, 2011, 7:43 PM

              You can add block rules for icmp and udp if you like, make sure that those are above allowing rules

              1 Reply Last reply Reply Quote 0
              • T
                torino
                last edited by Aug 23, 2011, 9:09 AM

                hi

                the problem is a little bit diffrent. do the following:

                1. make 2 rules:
                  - allow all from LAN > WAN
                  - block all from WAN > LAN
                2. start to ping from a WAN-PC to a LAN-PC with -t
                3. ping fails
                4. start a ping from LAN > WAN
                5. ping is successfull
                6. ping under 3. is successfull also
                7. stop ping from WAN > LAN
                8. wait and watch until the statetable changes
                9. ping again from WAN > LAN, ping fails…

                you can add a rule on WAN to block ICMP completly - but this will not help.

                you can do the same with UDP traffic if you use the same port-numbers.
                This is because of the statetabel for ICMP and UDP.
                With TCP everything is perfect.

                Now it is up to you to decide if this behaviour is ok for you or not. some admin say,
                that the risk is minimal because this occurs only between two specific hosts.
                other admin dont like this, because it does not fit with the block all rule from
                WAN.

                the only important things for me is to know:

                • Is it possible with pfsene to eliminate such kind of traffic ?
                      (if not, i will still use pfSense for SOHO and private DSL)

                • other FW (more expensive) can handle this. what is the reason ?

                1 Reply Last reply Reply Quote 0
                • J
                  jimp Rebel Alliance Developer Netgate
                  last edited by Aug 23, 2011, 12:28 PM

                  I find it very hard to believe that other firewalls would block that UDP traffic.

                  ICMP is another question.

                  However, in both cases, the issue is not with pfSense, but with the underlying packet filter software, pf.

                  It's been brought up before, and it largely a non-issue. You are really stretching things to create a problem where no legitimate security risk exists. http://freebsd.1045724.n5.nabble.com/PF-quot-keep-state-quot-for-ICMP-td4183717.html

                  If you want to "block" this then don't let them ping out, then no state would be created.

                  Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

                  Need help fast? Netgate Global Support!

                  Do not Chat/PM for help!

                  1 Reply Last reply Reply Quote 0
                  • T
                    torino
                    last edited by Aug 23, 2011, 1:33 PM

                    thanks for support

                    1 Reply Last reply Reply Quote 0
                    • M
                      Metu69salemi
                      last edited by Aug 23, 2011, 3:32 PM

                      As i stated before create rules for blocking icmp and udp if you think that those are too dangerous trafic.

                      On lan interface
                      block icmp * * * *
                      block udp * * * *
                      allow whatever you want and where ever you want.

                      After that even ping from lan to wan isn't possible and thusfore no state is going to exist at all to exploit

                      1 Reply Last reply Reply Quote 0
                      • J
                        jimp Rebel Alliance Developer Netgate
                        last edited by Aug 23, 2011, 3:44 PM

                        That will not block what he's talking about. It will prevent the issue from ever happening, but it also blocks the traffic it sounds like he wants to allow.

                        Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

                        Need help fast? Netgate Global Support!

                        Do not Chat/PM for help!

                        1 Reply Last reply Reply Quote 0
                        • M
                          Metu69salemi
                          last edited by Aug 23, 2011, 3:55 PM

                          Cat going around a table..
                          I tried to offer pre-emptive solution. Well, can't please everyone  ;)

                          1 Reply Last reply Reply Quote 0
                          12 out of 12
                          • First post
                            12/12
                            Last post
                          Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.
                            This community forum collects and processes your personal information.
                            consent.not_received