ICMP Flood???

[Guest]

[gjf]

Hi all!

I have the following in my Firewall logs since I have changed provider:



My rules are as follows:



Unfortunately I have to use general rules to create network politics because I am using another Antivirus, not Comodo's one. The Antivirus WebGuard is proposing the network access to all programs, so I have to restrict it by GR only.

Anyway, what is the reason of such huge amount of ICMP requests? I'm a little bit affraid because I am using traffic shaper (cFosSpeed) and in the case it will not obtain ping requests it will not work.

I have created the rule #4 (from the upper side of the rule list I have provided) to allow ICMP Type 3 but it looks like it is not Code 0. How could I obtain the code of blocked ICMP in the log?

Do you have some ideas what these ICMP are?

[drragostea]

I seem to have the same problem with the "flood". It seems to occur after I've set up the "Stealth Port Wizard" (Option 3).

Odd thing is that my rule is:

If I happen to remove the Fourth rule, the blocking stops. However, my rule is only in. gjf's rule is both in/out. 

[gjf]

Now I understood where to find the code number of blocked ICMP (help rules  ), but anyway no idea what does these ICMP mean.

The only solution is to add allowing rules for ICMP 3.0, 3.1, 3.2, 3.10 and 3.13 (3.10 and 3.13 does not have even name).

[CGPMaster]

http://en.wikipedia.org/wiki/Internet_Control_Message_Protocol
- ICMP

The Internet Control Message Protocol (ICMP) is one of the core protocols of the Internet Protocol Suite. It is chiefly used by networked computers' operating systems to send error messages—indicating, for instance, that a requested service is not available or that a host or router could not be reached.

ICMP [1] relies on IP to perform its tasks, and it is an integral part of IP. It differs in purpose from transport protocols such as TCP and UDP in that it is typically not used to send and receive data between end systems. It is usually not used directly by user network applications, with some notable exceptions being the ping tool and traceroute.

CG

[gjf]

It is very clever but it does not answer on my questions.

BTW neither ping nor traceroute need ICMP 3.10 and 3.13.

[grue155]

ICMP 3.10 and 3.13 are both firewall reject messages. Not from CFP/CIS, but from a firewall sitting somewhere between your PC and whatever IP address you're trying to reach.

3.10 is "host administratively prohibited", and 3.13 is "communication adminstatively prohibited"

The difference is that 3.10 is coming from the IP address you're trying to reach. Your packet made it there, but was refused. The 3.10 is the ICMP refusal message. It means that the IP address is not stealthed, but is instead configured to explicitly say "Go Away. Now."

The 3.13 is likely coming from a router. The BSD syntax for this would be "ipfw unreach filter-prohib all from any to any". Cisco routers have a similar syntax, but is not so straightforward to explain.

[Tags:]