Recommended Posts

The ICMP tab (OA paid) lists a number of ICMP types under the heading 'Function'. Each type has an associated checkbox - 'Allowed'. The default, checked types/functions are not in accordance with recommended practices; they are rather strange.

Does the checkbox relate to incoming and/or outgoing ICMP packets? If all checkboxes are cleared, does OA allow/block incoming/outgoing ICMP packets.

Why were the default settings selected? Do they present an issue to the uninitiated user?

Share this post


Link to post
Share on other sites

Wikipedia actually has a pretty good brief overview of how ICMP is used at http://en.wikipedia.org/wiki/Internet_Control_Message_Protocol . What OA does by default is allow your system to send out requests for information and receive certain system error messages, but not allow you to respond to requests for information or provide error indications. Besides the defaults I also allow "destination unreachable" since otherwise your log can end up being filled with reattempts. Some of the later table is very strange as you said.

But another question remains: What does the ICMP column mean under Firewall/Programs when these are OS messages used to monitor networks? I never got an answer. Programs don't ping other programs, for example; they invoke Ping in the OS which sends an ICMP Echo Request to the Host IP indicated and waits for an Echo response to see what the round trip travel time is.

The RAW protocol column gives me similar consternation-looking at http://en.wikipedia.org/wiki/List_of_IP_protocol_numbers , why is the column even there for user applications?

I never got an answer befvore, but maybe some Emsi expert can clarify a bit. :thumbs:

Share this post


Link to post
Share on other sites
But another question remains: What does the ICMP column mean under Firewall/Programs when these are OS messages used to monitor networks? I never got an answer. Programs don't ping other programs, for example; they invoke Ping in the OS which sends an ICMP Echo Request to the Host IP indicated and waits for an Echo response to see what the round trip travel time is.

The RAW protocol column gives me similar consternation-looking at http://en.wikipedia.org/wiki/List_of_IP_protocol_numbers , why is the column even there for user applications?

I never got an answer befvore, but maybe some Emsi expert can clarify a bit.

Reliable sources seem to agree that ICMP types (functions) 0,3,8,11 are all that should be allowed by a firewall; however the direction and source IP address are just as important in allowing/denying each of these types; Wilders has an excellent thread on same. I hope that explains why I started this thread.

I think that OA allows all outgoing ICMP packets. I think that the check box refers to incoming packets - the checked types are allowed (incoming). The OA help page does not help.

As for RAW protocol, I am unsure if allowing any protocol other than those allowed by firewall rules is wise. I think, for example, that allowing RAW allows IGMP.

I agree that clarification would be welcome.

BTW: If you ping an IP address, does OA create a rule? If so, I wonder how that affects the ICMP settings.

Share this post


Link to post
Share on other sites

I agree; OA seems to have added just confusion with this implementaion. Once you get past 0,3,8,11 the other stuff is mostly for detailed network management in a more benign environment than the internet. After all, Unix and TCP/IP Networking were there first. ;) 11 is used for Tracert, but you only need to receive it. OA shouldn't allow 0, 3, 11 out unless you check them. Incoming ICMP packets that are not responses to requests should be discarded. So the defaults allow you to ping and tracert others, for example, but don't let others ping/tracert you. The idea is to keep you from responding to probes. And I did get a rule made for Ping-see attachment. :) Since RAW includes all protocols except TCP and UDP, this column is useless. Some firewalls allow you to enter protocol numbers allowed (for things like Protocol 41 for IPV6)-I have never seen a blanket allow of RAW before. And would have no idea how to use it. When I used Kerio 2.1.5 the world was sure a lot simpler in a sense. ;)

Share this post


Link to post
Share on other sites

My ICMP settings (IPv4 and OS-independent - I block IPv6):

Incoming - 0, 3, 8 (with remote address restricted to gateway), 11.

Outgoing - types 0, 3, 8.

I have plenty of logs (behind a router) to confirm that these are low-risk settings. Unfortunately, OA does not permit such settings.

Share this post


Link to post
Share on other sites

Since RAW includes all protocols except TCP and UDP, this column is useless. -I have never seen a blanket allow of RAW before. And would have no idea how to use it.

SmartSniff from NirSoft uses RAW to capture all packets and display them. (Packet sniffer).

The program smsniff.exe is the only one that I 'Allow' for RAW.

Share this post


Link to post
Share on other sites
My ICMP settings (IPv4 and OS-independent - I block IPv6)

I don't seem to be able to edit my posts! I should, therefore, explain. I use OA on two XP PCs: 'my ICMP settings' are for another product on XP and for the Windows 7 (x64) firewall (check its default ICMP settings).

Share this post


Link to post
Share on other sites

Does the checkbox relate to incoming and/or outgoing ICMP packets?

Outgoing only.

If all checkboxes are cleared, does OA allow/block incoming/outgoing ICMP packets.

If the checkbox is checked the relating outgoing ICMP packet is allowed. Otherwise it is blocked. If none is checked all of the outgoing ICMP packet types listed there are blocked.

Why were the default settings selected? Do they present an issue to the uninitiated user?

I am not sure why those defaults were chosen because that decision was made before we acquired Online Armor and wasn't documented properly. Based on a code review I can't see how they could cause troubles especially given the fact that we don't filter incoming ICMP packets at all for compatibility reasons.

Share this post


Link to post
Share on other sites

Outgoing only.

If the checkbox is checked the relating outgoing ICMP packet is allowed. Otherwise it is blocked. If none is checked all of the outgoing ICMP packet types listed there are blocked.

I am not sure why those defaults were chosen because that decision was made before we acquired Online Armor and wasn't documented properly. Based on a code review I can't see how they could cause troubles especially given the fact that we don't filter incoming ICMP packets at all for compatibility reasons.

Thanks - reply is appreciated. I tend to agree that the default settings are unlikely to cause issues.

Share this post


Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.


  • Recently Browsing   0 members

    No registered users viewing this page.