Block IP Address including ICMP using UFW
- by dr jimbob
I prefer ufw to iptables for configuring my software firewall. After reading about this vulnerability also on askubuntu, I decided to block the fixed IP of the control server: 212.7.208.65. I don't think I'm vulnerable to this particular worm (and understand the IP could easily change), but wanted to answer
this particular comment about how you would configure a firewall to block it.
I planned on using:
# sudo ufw deny to 212.7.208.65
# sudo ufw deny from 212.7.208.65
However as a test that the rules were working, I tried pinging after I setup the rules and saw that my default ufw settings let ICMP through even from an IP address set to REJECT or DENY.
# ping 212.7.208.65
PING 212.7.208.65 (212.7.208.65) 56(84) bytes of data.
64 bytes from 212.7.208.65: icmp_seq=1 ttl=52 time=79.6 ms
^C
--- 212.7.208.65 ping statistics ---
1 packets transmitted, 1 received, 0% packet loss, time 0ms
rtt min/avg/max/mdev = 79.630/79.630/79.630/0.000 ms
Now, I'm worried that my ICMP settings are too generous (conceivably this or a future worm could setup an ICMP tunnel to bypass my firewall rules).
I believe this is the relevant part of my iptables rules is given below (and even though grep doesn't show it; the rules are associated with the chains shown):
# sudo iptables -L -n | grep -E '(INPUT|user-input|before-input|icmp |212.7.208.65)'
Chain INPUT (policy DROP)
ufw-before-input all -- 0.0.0.0/0 0.0.0.0/0
Chain ufw-before-input (1 references)
ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 icmp type 3
ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 icmp type 4
ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 icmp type 11
ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 icmp type 12
ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 icmp type 8
ufw-user-input all -- 0.0.0.0/0 0.0.0.0/0
Chain ufw-user-input (1 references)
DROP all -- 0.0.0.0/0 212.7.208.65
DROP all -- 212.7.208.65 0.0.0.0/0
How should I go about making it so ufw blocks ICMP when I specifically attempt to block an IP address?
My /etc/ufw/before.rules has in part:
# ok icmp codes
-A ufw-before-input -p icmp --icmp-type destination-unreachable -j ACCEPT
-A ufw-before-input -p icmp --icmp-type source-quench -j ACCEPT
-A ufw-before-input -p icmp --icmp-type time-exceeded -j ACCEPT
-A ufw-before-input -p icmp --icmp-type parameter-problem -j ACCEPT
-A ufw-before-input -p icmp --icmp-type echo-request -j ACCEPT
I'm tried changing ACCEPT above to ufw-user-input:
# ok icmp codes
-A ufw-before-input -p icmp --icmp-type destination-unreachable -j ufw-user-input
-A ufw-before-input -p icmp --icmp-type source-quench -j ufw-user-input
-A ufw-before-input -p icmp --icmp-type time-exceeded -j ufw-user-input
-A ufw-before-input -p icmp --icmp-type parameter-problem -j ufw-user-input
-A ufw-before-input -p icmp --icmp-type echo-request -j ufw-user-input
But ufw wouldn't restart after that. I'm not sure why (still troubleshooting) and also not sure if this is sensible? Will there be any negative effects (besides forcing the software firewall to force ICMP through a few more rules)?