Thread Info
  • State Verified Answer
  • Locked Locked
  • Replies 4 replies
  • Subscribers 5 subscribers
  • Views 741 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

How to block ICMP Timestamp Requests

MartinSeener

Hi,

i know that there already was a similar question here: https://community.sophos.com/utm-firewall/f/network-protection-firewall-nat-qos-ips/117583/blocking-icmp-timestamp-reply-t13-c00-and-t14-c00-not-working

However, this doesn't really help me because, I don't want to disable all ICMP related protocols simply. Does anyone know a way to only block ICMP Timestamp requests (and replies) or IF I disable all ICMP checkboxes in Firewall tab, which ones should I reenable afterwards to not have any service issues?
For me it's not clear what those checkboxes "enable".

We also got this as a finding, so we would like to "fix" this. See screenshot. Any help is appreciated.



This thread was automatically locked due to age.
Parents
  • 0

    If you use a private address-range, NATed behind some public IP#s, the problem "...can obtain information about your network..." should not exist.

    But i disable all "Firewall forward ..." settings without service problems.


    Dirk

    Systema Gesellschaft für angewandte Datentechnik mbH  // Sophos Platinum Partner
    Sophos Solution Partner since 2003
    If a post solves your question, click the 'Verify Answer' link at this post.

Reply
  • 0

    If you use a private address-range, NATed behind some public IP#s, the problem "...can obtain information about your network..." should not exist.

    But i disable all "Firewall forward ..." settings without service problems.


    Dirk

    Systema Gesellschaft für angewandte Datentechnik mbH  // Sophos Platinum Partner
    Sophos Solution Partner since 2003
    If a post solves your question, click the 'Verify Answer' link at this post.

Children
  • 0 in reply to dirkkotte

    Hi,
    yes we do. But the issue is not the network behind it nor the "issue" itself. I know this is super minor to fix but I would like to give potential attackers just one less point of information.
    I think the "Firewall forward" things are not an issue since most of them only forward from internal to external. The timestamp obtained there is only from the UTM itself.

    Maybe we can get a solution here.

  • 0 in reply to MartinSeener

    Martin, if you don't have 'Allow ICMP through Gateway from external networks' selected on the 'ICMP' tab, I don't think you have a problem.  If you need some ICMP requests to come through, I prefer to make explicit firewall rules for that.

    cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • +1 in reply to BAlfson

    Hi,
    thanks for the feedback. I know that we did not allow ICMP to go through from external, so this was never a "real" issue.
    Although I took the time to research and want to quickly describe my findings here for anyone else also looking into this.

    - You do not need ICMP even at the Firewall level from external usually
    - You may need it in VPNs when using UDP or when your interfaces don't use default MTU of 1500 or provide UDP services
    - ICMP Type 8 is Echo Request (Ping), Type 3 is Dest. not reachable among others (defined in (Sub)codes) which you may need

    I've now disabled global ICMP altogether and only left all 3 Ping checkboxes enabled, as well as the "Let Traceroute from internal to external". The FW itself it not traceroutable anymore from external.

    With this all of my IPSec VPNs still work fine, same for Road-Warrior SSL-VPN and other things.
    So this one is fixed for me now. Thanks for your help!

Unfiltered HTML