0

I have several Linux Mint 21.3 PCs. Is it safe to allow all types of ICMP on these end-point stations on my local home network?

My IPv4 iptables:

$ sudo iptables -L --line-numbers 
Chain INPUT (policy DROP)
num  target     prot opt source               destination         
1    ACCEPT     all  --  anywhere             anywhere             /* Allow loopback */
2    DROP       all  --  anywhere             anywhere             ctstate INVALID /* Drop invalid packets */
3    REJECT     tcp  --  anywhere             anywhere             ctstate NEW tcp flags:!FIN,SYN,RST,ACK/SYN /* Reject new non-syn TCP */ reject-with tcp-reset
4    ACCEPT     tcp  --  192.168.0.0/24       anywhere             ctstate NEW,ESTABLISHED tcp dpt:ssh /* Allow local SSH on default port */
5    ACCEPT     icmp --  anywhere             anywhere             limit: avg 100/sec burst 500 /* Allow and limit ICMP */
6    ACCEPT     all  --  anywhere             anywhere             ctstate RELATED,ESTABLISHED /* Traffic */

Chain FORWARD (policy DROP)
num  target     prot opt source               destination


Chain OUTPUT (policy ACCEPT)
num  target     prot opt source               destination
schroeder
  • 129,372
  • 55
  • 299
  • 340
Vlastimil Burián
  • 1,707
  • 2
  • 22
  • 41
  • Why do you want to allow ICMP? Why all types? What do you want to be safe from? – schroeder Mar 27 '24 at 17:33
  • Relevant to the threats: https://security.stackexchange.com/questions/22711/is-it-a-bad-idea-for-a-firewall-to-block-icmp – schroeder Mar 27 '24 at 18:27
  • @schroeder Hello. A colleague at work told me limiting ICMP to eg. 100 pcts/s is better than allowing echo (ping) only, I did not know what to think, so I have made a change in my iptables to allow all types, I did watch it for a few days, plenty of packets there, did not know what to think, so I asked this fairly straight (maybe too short) a question. The end-point laptops/PCs have no ports from my router forwarded to make this comment complete. – Vlastimil Burián Mar 27 '24 at 18:27
  • Only the final question: you ask if it is safe. What do you want to be safe from? What's your concern? There is no inherent risk in ICMP on a local network on a fully patched machine. – schroeder Mar 28 '24 at 09:03
  • @schroeder My only concern is if those local machines are at any/some risks for instance if unauthorised person connects to my network, can they for example attack my machines if I rate-limited it as shown(?) Will check back in a few hours. – Vlastimil Burián Mar 28 '24 at 09:54
  • Can they attack? Yes. Nothing here prevents an attack. Your rate-limiting limits the effect of the attack. As for how someone could use ICMP to affect your machines in other ways, the linked post above goes through many types of potential attacks. But on a local network, the liklihood of an ICMP attack is small, and if they have that level of access to your network, ICMP is near the bottom of your concerns. – schroeder Mar 28 '24 at 09:58
  • @schroeder Ok, great... Last question regarding the rate-limiting - Is 100/500burst quite ok or shall I adjust it - your opinion would be great. Thanks in advance, have a good day – Vlastimil Burián Mar 28 '24 at 12:32
  • Your computers should be able to handle much more than that, so that limit is just fine. – schroeder Mar 28 '24 at 12:36
  • @schroeder Since you basically answered my question, feel free to post an answer, I would accept. Otherwise please tell me, if I should delete this question or leave it, I am unsure what's best for future readers. Cheers! – Vlastimil Burián Mar 28 '24 at 23:34

0 Answers0