ICMP (Internet Control Message Protocol—RFC 792) access list
syntax doesn’t use port numbers, but adds options to allow filtering on ICMP
messages. The actual syntax for filtering UDP is as follows:
access-list acl# {permit | deny} icmp
{source wildcard | any} {destination wildcard |
any} [icmp-type | [[icmp-type icmp-code] |
[icmp-message]] [precedence precedence]
[tos tos] [log | log-input] [options]
The following code includes the symbolic names (since IOS v 10.3)
that can be used to filter ICMP traffic:
Rtr1(config)#access-list 101 permit icmp any any ?
<0-255> ICMP message type
administratively-prohibited Administratively prohibited
alternate-address Alternate address
conversion-error Datagram conversion
dod-host-prohibited Host prohibited
dod-net-prohibited Net prohibited
echo Echo (ping)
echo-reply Echo reply
general-parameter-problem Parameter problem
host-isolated Host isolated
host-precedence-unreachable Host unreachable for precedence
host-redirect Host redirect
host-tos-redirect Host redirect for TOS
host-tos-unreachable Host unreachable for TOS
host-unknown Host unknown
host-unreachable Host unreachable
information-reply Information replies
information-request Information requests
log Log matches against this entry
log-input Log matches against this entry,
including input interface
mask-reply Mask replies
mask-request Mask requests
mobile-redirect Mobile host redirect
net-redirect Network redirect
net-tos-redirect Net redirect for TOS
net-tos-unreachable Network unreachable for TOS
net-unreachable Net unreachable
network-unknown Network unknown
no-room-for-option Parameter required but no room
option-missing Parameter required but not present
packet-too-big Fragmentation needed and DF set
parameter-problem All parameter problems
port-unreachable Port unreachable
precedence Match packets with given precedence value
precedence-unreachable Precedence cutoff
protocol-unreachable Protocol unreachable
reassembly-timeout Reassembly timeout
redirect All redirects
router-advertisement Router discovery advertisements
router-solicitation Router discovery solicitations
source-quench Source quenches
source-route-failed Source route failed
time-exceeded All time exceededs
timestamp-reply Timestamp replies
timestamp-request Timestamp requests
tos Match packets with given TOS value
traceroute Traceroute
ttl-exceeded TTL exceeded
unreachable All unreachables
RFC 1812 dictates that traffic denied by filtering (ACL) will
cause an ICMP Administratively Prohibited message to be sent to the sender,
using the sender’s address as destination and the filtering router interface
address as source. While this might be informative to the sender, it might not
be a good security practice for the network protected by the router. Not sending
this message back to external users might be better because of the implication
that something is worth protecting or hacking—depending on your point of view.
One solution would be to deny ICMP Administratively Prohibited messages outbound
at the external interface.
In the following extended ACL example, if the ACL is applied to
the outbound traffic on a border router, the first statement blocks any echo
replies out of the network. The statement literally prevents ping responses,
denying the sender connectivity information about the address. If you ping www.Microsoft.com, you
can see this policy in effect. The second statement blocks ICMP Administratively
Prohibited messages from notifying the sender that an ACL discarded their
packets.
access-list 101 deny icmp any any echo-reply
access-list 101 deny icmp any any administratively-prohibited
access-list 101 permit ip any any
The final statement permits the remaining ICMP packets, plus
all TCP and UDP packets.
Sections
Comments (0 posted)
Syndication
(total 7 votes)
