<pre>
<meta http-equiv='content-type' content='text/html; charset=windows-1257'>
::::::::::::::::::::::::
Tuning (c) by Mr.Goblins
;;;;;;;;;;;;;;;;;;;;;;;;

= = = = = = = = = = = = = = = = = = = = = = = = = = = = =
   Internet Control Message Protocol (ICMP) filtrēšana
= = = = = = = = = = = = = = = = = = = = = = = = = = = = =

(Introduction)
70% gadījumos kad ir iegūtas basic zināšanas TCP/IP uzbūvē
un ir tas gods aizsargāt sevi/firmu/*ISP* :) no ļaundariem
doma ir skaidra un tā ir sekojoša:
  ---drop all damn ICMP trafic; allow only ping other machines!!!---
U-u-u-p-s!!!
ICMP nav tikai tūlis ar ko var PingFloodu laist vai tracertot hostus.
ICMP 70-100bytes liela datagramma, kurus izgriežot var sataisīt tikai problēmas.
Problēmas nav ar aci pamanāmas, kurās parasti vaino upstream provaiderus xor linku xor OS.
Need more info? -> <a href="http://www.google.com" target="_blank">Google</a> is your friend!

= = = = =
Šādus Headerus ICMP pievieno IP paketei:
+----------+----------+------------------------------------------+
|     8    |    16    |                   32bits                 |
+----------+----------+------------------------------------------+
|   Type   |   Code   |                  CheckSum                |
+----------+----------+------------------------------------------+
|     Identifier      |              SequenceNumber              |
+---------------------+------------------------------------------+
|                              DATA                              |
+----------------------------------------------------------------+

 Type
  0	Echo Reply
  1	Unassigned
  2	Unassigned
  3	Destination Unreachable
	Codes
		0  Net Unreachable
		1  Host Unreachable
		2  Protocol Unreachable
		3  Port Unreachable
		4  Fragmentation Needed and Don't Fragment was Set
		5  Source Route Failed
		6  Destination Network Unknown
		7  Destination Host Unknown
		8  Source Host Isolated
		9  Communication with Destination Network is
			Administratively Prohibited
		10  Communication with Destination Host is
			Administratively Prohibited
		11  Destination Network Unreachable for Type of Service
		12  Destination Host Unreachable for Type of Service
		13  Communication Administratively Prohibited
		14  Host Precedence Violation
		15  Precedence cutoff in effect
  4	Source Quench
  5	Redirect
  6	Alternate Host Address
  7	Unassigned
  8	Echo
  9	Router Advertisement
 10	Router Solicitation
 11	Time Exceeded
	Codes
		0  Time to Live exceeded in Transit
		1  Fragment Reassembly Time Exceeded
 12	Parameter Problem
 13	Timestamp
 14	Timestamp Reply
 15	Information Request
 16	Information Reply
 17	Address Mask Request
 18	Address Mask Reply
 19	Reserved (for Security)
 20-29	Reserved (for Robustness Experiment)
 30	Traceroute
 31	Datagram Conversion Error
 32     Mobile Host Redirect
 33     IPv6 Where-Are-You
 34     IPv6 I-Am-Here
 35     Mobile Registration Request
 36     Mobile Registration Reply
 37     Domain Name Request
 38     Domain Name Reply
 39     SKIP
 40     Photuris
 41-255 Reserved
= = = = =

(Workstation protected by <a href="pf2.exe">Tiny Personal Firewall</a>)

(*) allow - icmp type(3)   - In
(*) allow - icmp type(4)   - In/Out
(*) allow - icmp type(8)   - Out
(*) allow - icmp type(0)   - In
(*) allow - icmp type(11)  - In
(*) deny  - icmp type(ALL) - In/Out


(Router <a href="http://www.cisco.com" target="_blank">CISCO</a> || <a href="http://www.freebsd.org/cgi/man.cgi?query=ipfw&apropos=0&sektion=0&format=html" target="_blank">FreeBSD</a>)

(*) allow - icmp type(3)   - In/Out [through any interface]
(*) allow - icmp type(4)   - In/Out [through any interface]
(*) allow - icmp type(11)  - In     [through WAN interface]

# Ja rūteris ir reālais zvērs, un darbina BGP xor EIGRP xor
# citu biezo RoutingProtocolu, un runājas iekšienē ar daudziem
# citiem tādiem pašiem zvēriem, un ja vel viņos ienāk
# daudzu AutonomoSistemu trafika, un ja vel rūteris ir
# tranzīt AS prieks citam AS, tad nu šo rindiņu vajag :)))
(*) allow - icmp type(11)  - In/Out [through any interface]

# Ja gribam lai locālis var pingot ārpasauli
(*) allow - icmp type(8)   - Out    [through LAN interface]
(*) allow - icmp type(0)   - In     [through WAN interface]

# Ja gribam lai ārpasaule var mūs nopingot (DoS rock)
(*) allow - icmp type(8)   - In     [through WAN interface]
(*) allow - icmp type(0)   - Out    [through LAN interface]

# Drop All other SPAM
(*) deny  - icmp type(ALL) - In/Out [through any interface]

= = = = =

-type(0)(Echo Reply) - No Comment!
-type(8)(Echo)       - No Comment!

-type(3)(Destination Unreachable) -
   ja nogriež, tad var rasties problēmas ar performanci,
   kad conectejas ar remote hostu un pa ceļam MTU atšķiras
   un ir nepieciešama fragmentācija. (Path-MTU Discovery)

-type(4)(Source Quench) -
   ja receiver nespēj apstrādāt data flow, viņš suta šādu
   sms lai senders mazliet slow-down, ja šīs sms tiek
   izfiltrētas, reveicers dropo paketes kad queue ir pilna.
   secinājumi acīm redzami!

-type(11)(Time Exceeded) -
   ja rūteris redz paketi ar TTL=0, tas suta SourceIP šo sms.
   tas nozīmē ka ir loops vai arī too many hops/delay.
   traceroute ari izmanto TTL+UDP lai redzētu path.