Description
Tip
This article can be usefull for the embedded PF on
Debian GNU/kFreeBSD !
Following the recommendations from my article about the rules to be put in place to allow or block ICMP messages, here are the adequate rules for PF, for *BSD that use Packet Filter, including OpenBSD:
Manage ICMP
Drop
(…)
icmp_block_types="{ 4 6 15 16 17 18 31 32 33 34 35 36 37 38 39 }"
(…)
block drop quick on egress inet proto icmp icmp-type 3 code 6
block drop in quick on egress inet proto icmp icmp-type 3 code 7
block drop quick on egress inet proto icmp icmp-type 3 code 8
block drop quick on egress inet proto icmp icmp-type $icmp_block_types
(…)
Warning
It seems that PF does not manage 37 and 38 (respectly
Domain Name Request, and Domain Name Reply)…
Pass
Info
There is no
limit equivalent for PF!
It seems that it’s finely managed by the kernel on OpenBSD.(…)
icmp_types="{ 8 11 12 }"
(…)
block log
pass out
(…)
pass in quick on egress inet proto icmp from any to egress icmp-type { 3 code 3, 3 code 4 }
pass in quick on egress inet proto icmp from any to egress icmp-type $icmp_types
pass out quick on egress inet proto icmp from egress to any icmp-type { 3 code 3, 3 code 4 }
pass out quick on egress inet proto icmp from egress to any icmp-type $icmp_types
Or course, you can authorize all other codes that can be passed, and whose recommendations are to limit. The 3 highlighted codes are a minimum!