Shorewall users - Mar 2011 - Multiple ICMP types: What to do when you need them, and why they were disabled?

Hello,

I see that giving multiple ICMP types in rules.conf is now blocked, 
despite giving multiple ports still being allowed. What’s the reason for 
this inconsistency?
I have a variable $GOOD_ICMP_TYPES, with a list of good ones, and still 
need to allow them in Shorewall. So what am I supposed to do instead? 
There is no explanation or reasoning given.

Also, please, in the future, at least tell us, what to do instead.

Thanks.

------------------------------------------------------------------------------
What You Don't Know About Data Connectivity CAN Hurt You
This paper provides an overview of data connectivity, details
its effect on application quality, and explores various alternative
solutions. http://p.sf.net/sfu/progress-d2d
_______________________________________________
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users

On 3/5/11 4:18 AM, Evi1M4chine wrote:
> Hello,
> 
> I see that giving multiple ICMP types in rules.conf is now blocked, 
> despite giving multiple ports still being allowed. What’s the reason for 
> this inconsistency?
Netfilter supports multiple ports in a single rule -- it does not
support multiple ICMP types. Shorewall-shell had a hack that allowed
multiple ICMP types but it resulted in horrible code structure. I did
not want that bad structure in Shorewall-perl.
> I have a variable $GOOD_ICMP_TYPES, with a list of good ones, and still 
> need to allow them in Shorewall. So what am I supposed to do instead? 
> There is no explanation or reasoning given.
If you are so attached to your shell variable that you can''t bear to
part with it, replace:

	ACCEPT	z1	z2	icmp	$GOOD_ICMP_TYPES

with:

	BEGIN SHELL
	for type in $GOOD_ICMP_TYPES; do
		echo "ACCEPT    z1       z2      icmp     $type"
	done
	END SHELL

That''s basically what Shorewall-shell did for you.
> 
> Also, please, in the future, at least tell us, what to do instead.
It is really very obvious -- use multiple rules with one type per rule.
I have now documented that in the shorewall-rules and shorewall6-rules
manpages as well as the "Migrating to Shorewall 4.4" document.

BUT.... there is really no reason the have explicit rules for
''Good''
ICMPs; Shorewall automatically allows necessary ICMP types through, even
if they are against the relevant policy.

-Tom
-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________



------------------------------------------------------------------------------
What You Don''t Know About Data Connectivity CAN Hurt You
This paper provides an overview of data connectivity, details
its effect on application quality, and explores various alternative
solutions. http://p.sf.net/sfu/progress-d2d

On 3/5/11 7:44 AM, Tom Eastep wrote:
> On 3/5/11 4:18 AM, Evi1M4chine wrote:
>> Hello,
>>
>> I see that giving multiple ICMP types in rules.conf is now blocked, 
>> despite giving multiple ports still being allowed. What’s the reason
for
>> this inconsistency?
> 
> Netfilter supports multiple ports in a single rule -- it does not
> support multiple ICMP types. Shorewall-shell had a hack that allowed
> multiple ICMP types but it resulted in horrible code structure. I did
> not want that bad structure in Shorewall-perl.
> 
Actually, there is good news. I had originally taken a similar decision
with respect to port lists in that Shorewall-perl did not originally
support port lists with more than 15 ports, even though that was
supported by Shorewall-shell. I later came up with a way to post-process
rules with large port lists and break them into multiple rules.

The attached patch does the same for ICMP lists. It applies with offsets
to Shorewall 4.4.15 (which is what I believe Gentoo currently supports):

	patch /usr/share/shorewall/Shorewall/Chains < ICMPLISTS.patch

This patch will be included in Shorewall 4.4.19.

-Tom
-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________



------------------------------------------------------------------------------
What You Don''t Know About Data Connectivity CAN Hurt You
This paper provides an overview of data connectivity, details
its effect on application quality, and explores various alternative
solutions. http://p.sf.net/sfu/progress-d2d

Hey, thanks for your answer. :)

At 2011-03-05 16:44, Tom Eastep wrote:
> Netfilter supports multiple ports in a single rule -- it does not
> support multiple ICMP types. Shorewall-shell had a hack that allowed
> multiple ICMP types but it resulted in horrible code structure. I did
> not want that bad structure in Shorewall-perl.
OK, I am always against horrible code. :) Agreed, I’d had that replaced too.
> If you are so attached to your shell variable that you can't bear to
> part with it, replace:
Why that hatred against variables? Maybe you did not mean it like that, 
but you sound like you think I’m stupid for doing it like this. Without 
saying why. I still assume you agree that variables are a good idea for 
clean and structured code (including configuration files). But man, why 
the passive aggression? If you think I’m wrong: I love to learn 
something. :)
> 	BEGIN SHELL
> 	for type in $GOOD_ICMP_TYPES; do
> 		echo "ACCEPT    z1       z2      icmp     $type"
> 	done
> 	END SHELL
>
> That's basically what Shorewall-shell did for you.
*g* You call that horrible code structure? If a simple loop would cause 
chaos of horror-proportions, the code wouldn’t be very good to begin 
with, right? ;)
I doubt this is the case, because there must already be a loop for port 
lists, which could do this too (acting as if ICMP types just were ports) 
elegantly.
In fact I would have implemented it this way.
> It is really very obvious -- use multiple rules with one type per rule.
That is the first thought about the options left, that I had.
But I refused to call it an option, as it is so deeply wrong. As a 
programmer, I learned, that if you have to do something over and over 
again, you automate it. That’s what this machine is for, after all. :)
> BUT.... there is really no reason the have explicit rules for
'Good'
> ICMPs; Shorewall automatically allows necessary ICMP types through, even
> if they are against the relevant policy.
I’m sorry but if Shorewall blocks even standard ping *in a high-security 
vpn inside my own trusted network*, that’s a bit overkill, isn’t it. ;) 
I understand that on an open net, it is a good idea, and therefore a 
smart default to block them. But you can’t say that there is no reason 
at all for ever having a list of good ICMP types. Remember: If you 
assume your users are idiots, then idiots you will get. ;) So let us 
decide, and save yourself the work too. :)
(Also, using some other ping like over TCP, until that one gets the same 
negative connotation as ICMP ping [for no valid reason IMHO], and gets 
blocked too, is really as pointless as using “colored”, until that one 
gets the same negative connotation that “black” somehow got, and becomes 
a taboo too. As someone can just as much check if a host is online with 
ICMP ping disabled, it becomes mere window-dressing. :)

Well, of course you can do what you want with your own software and 
time. So I guess if I will implement a nice and elegant patch for it 
myself, and add it to my distro’s package. :)

Navid

------------------------------------------------------------------------------
What You Don't Know About Data Connectivity CAN Hurt You
This paper provides an overview of data connectivity, details
its effect on application quality, and explores various alternative
solutions. http://p.sf.net/sfu/progress-d2d
_______________________________________________
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users

Hey, great news.  Thank you, man.
> Actually, there is good news. I had originally taken a similar decision
> with respect to port lists in that Shorewall-perl did not originally
> support port lists with more than 15 ports, even though that was
> supported by Shorewall-shell. I later came up with a way to post-process
> rules with large port lists and break them into multiple rules.
I wonder why it’s so complicated though. Because iptables doesn’t 
support multiple port types or more than 15 ports? I guess then iptables 
needs a general patch. :)
Because I agree that that is no thing that Shorewall should do. It 
should be able to just pass a list to iptables.
> The attached patch does the same for ICMP lists. It applies with offsets
> to Shorewall 4.4.15 (which is what I believe Gentoo currently supports):
>
> 	patch /usr/share/shorewall/Shorewall/Chains<  ICMPLISTS.patch
>
> This patch will be included in Shorewall 4.4.19.
Anyway, thanks. Trying it out today.

By the way: If you still think I’m doing something wrong, I’m happy to 
learn something.

Navid

------------------------------------------------------------------------------
What You Don't Know About Data Connectivity CAN Hurt You
This paper provides an overview of data connectivity, details
its effect on application quality, and explores various alternative
solutions. http://p.sf.net/sfu/progress-d2d
_______________________________________________
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users

On 3/5/11 9:26 AM, Evi1M4chine wrote:
> 
>> If you are so attached to your shell variable that you can''t
bear to
>> part with it, replace:
> Why that hatred against variables? Maybe you did not mean it like that, 
> but you sound like you think I’m stupid for doing it like this. Without 
> saying why. I still assume you agree that variables are a good idea for 
> clean and structured code (including configuration files). But man, why 
> the passive aggression? If you think I’m wrong: I love to learn 
> something. :)
I agree that the variable is a good thing.
> 
>> 	BEGIN SHELL
>> 	for type in $GOOD_ICMP_TYPES; do
>> 		echo "ACCEPT    z1       z2      icmp     $type"
>> 	done
>> 	END SHELL
>>
>> That''s basically what Shorewall-shell did for you.
> *g* You call that horrible code structure? If a simple loop would cause 
> chaos of horror-proportions, the code wouldn’t be very good to begin 
> with, right? ;)
> I doubt this is the case, because there must already be a loop for port 
> lists, which could do this too (acting as if ICMP types just were ports) 
> elegantly.
Please refer to my follow-on post. The problem with doing it that way is
that the contents of a single column must drive the entire processing of
the rule. There are PORT columns in many of Shorewall''s configuration
files so if I implemented the code that way in the compiler, there would
have to be such a loop in the processing of every file with such a column.
> In fact I would have implemented it this way.
You (and I) might have indeed done it that way if your product only had
one file with PORT columns.
> 
>> It is really very obvious -- use multiple rules with one type per rule.
> That is the first thought about the options left, that I had.
> But I refused to call it an option, as it is so deeply wrong. As a 
> programmer, I learned, that if you have to do something over and over 
> again, you automate it. That’s what this machine is for, after all. :)
Again, we are in violent agreement.
> 
>> BUT.... there is really no reason the have explicit rules for
''Good''
>> ICMPs; Shorewall automatically allows necessary ICMP types through,
even
>> if they are against the relevant policy.
> 
> I’m sorry but if Shorewall blocks even standard ping *in a high-security 
> vpn inside my own trusted network*, that’s a bit overkill, isn’t it. ;) 
> I understand that on an open net, it is a good idea, and therefore a 
> smart default to block them. But you can’t say that there is no reason 
> at all for ever having a list of good ICMP types. Remember: If you 
> assume your users are idiots, then idiots you will get. ;) So let us 
> decide, and save yourself the work too. :)
ICMP echo-request is a single type; mentioning it in the context of a
discussion of ''good lists'' is a bit if a stretch,
don''t you think?
> (Also, using some other ping like over TCP, until that one gets the same 
> negative connotation as ICMP ping [for no valid reason IMHO], and gets 
> blocked too, is really as pointless as using “colored”, until that one 
> gets the same negative connotation that “black” somehow got, and becomes 
> a taboo too. As someone can just as much check if a host is online with 
> ICMP ping disabled, it becomes mere window-dressing. :)
Well, a single ''ACCEPT all all icmp    8'' rule changes the
default, right?
> 
> Well, of course you can do what you want with your own software and 
> time. So I guess if I will implement a nice and elegant patch for it 
> myself, and add it to my distro’s package. :)
I believe that the patch included in my follow-on post is quite elegant
:-) Feel free to add it to your distro''s package in advance of the
release of 4.4.19.

-Tom
-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________



------------------------------------------------------------------------------
What You Don''t Know About Data Connectivity CAN Hurt You
This paper provides an overview of data connectivity, details
its effect on application quality, and explores various alternative
solutions. http://p.sf.net/sfu/progress-d2d

On 3/5/11 9:37 AM, Evi1M4chine wrote:
> Hey, great news.  Thank you, man.
> 
>> Actually, there is good news. I had originally taken a similar decision
>> with respect to port lists in that Shorewall-perl did not originally
>> support port lists with more than 15 ports, even though that was
>> supported by Shorewall-shell. I later came up with a way to
post-process
>> rules with large port lists and break them into multiple rules.
> I wonder why it’s so complicated though. Because iptables doesn’t 
> support multiple port types or more than 15 ports? I guess then iptables 
> needs a general patch. :)
It doesn''t support more that 15 ports (originally, it didn''t
support
port lists at all).
> Because I agree that that is no thing that Shorewall should do. It 
> should be able to just pass a list to iptables.
> 
>> The attached patch does the same for ICMP lists. It applies with
offsets
>> to Shorewall 4.4.15 (which is what I believe Gentoo currently
supports):
>>
>> 	patch /usr/share/shorewall/Shorewall/Chains<  ICMPLISTS.patch
>>
>> This patch will be included in Shorewall 4.4.19.
> Anyway, thanks. Trying it out today.
> 
> By the way: If you still think I’m doing something wrong, I’m happy to 
> learn something.
No, you are not -- when I added the ability to support > 15 ports in a
list, I should have added the ability to support ICMP type lists at the
same time. My oversight.

Let me know if you have problems with the patch.

Thanks,
-Tom
-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________



------------------------------------------------------------------------------
What You Don''t Know About Data Connectivity CAN Hurt You
This paper provides an overview of data connectivity, details
its effect on application quality, and explores various alternative
solutions. http://p.sf.net/sfu/progress-d2d

Tom, forgive me, I did not notice you had already sent a mail with a 
patch when answering that mail. :)
> You (and I) might have indeed done it that way if your product only had
> one file with PORT columns.
Ok, I didn’t know that Shorewall works this way. Thanks for explaining.
> ICMP echo-request is a single type; mentioning it in the context of a
> discussion of 'good lists' is a bit if a stretch, don't you
think?
Lol, no doubt, I have to agree to that. ^^
Of course it’s obviously not the only one. Or it would not be a list.
> I believe that the patch included in my follow-on post is quite elegant
> :-) Feel free to add it to your distro's package in advance of the
> release of 4.4.19.
I don’t know Perl, so I’ll go with “It’s a write-only language, so I 
will trust you on this.” :D


Navid

------------------------------------------------------------------------------
What You Don't Know About Data Connectivity CAN Hurt You
This paper provides an overview of data connectivity, details
its effect on application quality, and explores various alternative
solutions. http://p.sf.net/sfu/progress-d2d
_______________________________________________
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users