Monday, July 19, 2010

Astaro Security Gateway v7 and ICMP

For monetary reasons I was looking for a free software firewall. Oh, I need to start earlier in time I realize.
OK.

Ahm, so, I bought a nice DELL server for me. Which is now located in the basement, because it's much too warm here upstairs. Anyway - it holds an ESXi server on it with some virtual machines I don't want to talk about now.

And I bought this nifty thing because I want to have a toolbox for the daily mess at work. Something where I can return to in the evening, where everything runs just as I expect it to. No claims of "our environment and topology have become like this over time and we don't have the budget to make it good". No. Just me and my machines.


The title suggests that it's running at least an Astaro firewall. Yeah, it does. And that's what this article is about...

I started on top with "Management". No, liar, I didn't. I started with "Network Security". I always start with making things difficult rather than getting it up and running at first.

So at first, I looked at the rule table which from my memory didn't contain anything. Fine.
Next, the "ICMP" tab made it into my browser.


And well, I thought: "great, this thing is quite comfortable. Let's deny Ping and see what it does." I disabled the two features.

To no avail. Ping still worked. For pinging the security device itself, and also for hosts on the Internet. Hum. Not very secure... Next, there are buttons for globally disabling ICMP. Nice try, I thought.

Yep, that does all the magic. No further echo replies.

Except for an Internet host which was still "alive" and responding. This crappy ?*!?* ! Are you a security device? Needless to tell that tcpdump was already in place to get to know what strange type of ICMP requests my computer needed to send for a firewall to not recognize them. And needless to tell that it looked like this:

21:29:52.724035 IP 192.168.M.N > 194.25.0.68: ICMP echo request, id 53523, seq 16, length 64
21:29:52.751462 IP 194.25.0.68 > 192.168.M.N: ICMP echo reply, id 53523, seq 16, length 64


Looks like ICMP!


But now, to get to the point of the article, I needed to disable "Firewall forwards traceroute" to get rid of ICMP echo requests! That's astonishing, right? Took me an hour or so. Have a nice day.
Eingestellt von Steffen um 10:00 PM
Labels: , ,

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)