Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 5 replies
  • Subscribers 4 subscribers
  • Views 381 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Blocking ICMP Timestamp/Reply [T13/C00 and T14/C00] not working

Awarre

I am trying to block all external ICMP timestamp and timestamp reply requests, but no configuration I've tried has worked.

Latest Sophos UTM 9 version

Top Firewall Rule

Sources: Internet IPv4

Services: ICMP Timestamp (Type of definition: ICMP, Code: [T13/C00] Timestamp) and ICMP Timestamp Reply 

Destinations: Public external IP of UTM

Action: Drop

When pinging using PowerPing --timestamp, I still get timestamp replies from the UTM.

Security best practice is to have these disabled, so Sophos should probably be blocking these by default, as well as adding the settings to the ICMP tab for easy management.

Sophos even acknowledge this as best practice for their client firewall product: https://community.sophos.com/kb/en-us/57757#ICMP



This thread was automatically locked due to age.
  • 0

    Hi There,

    Have you checked in Automatic firewall rules to see if there is any firewall rule with ANY as a service? Or a DNAT?

    Further, would you please provide the packetfiter.log for the packets that were responded from Sophos UTM?

    Regards

    Jaydeep

  • 0

    Just to be certain, are you sure the replies are coming from the UTM?

    I've had the same issue and it turned out that no matter what the router that I received from my ISP (FritzBox 74890) was always responding to the ping request.

     
    SFVH (SFOS 20.0.0 GA-Build222) - Last (re)boot on November 6th  2023
    Asus H410i-plus - Pentium 6605 Gold - 250GB M.2 PCIe NVMe SSD - 8GB - 3 ports
    [If any of my posts are helpful to you please use the 'Verify Answer' link]
  • 0 in reply to Jaydeep

    There were several automatic firewall rules and DNATs with ANY as the protocol, however removing/disabling them did not resolve the issue.

  • 0 in reply to Peter-Paul Gras

    Peter-Paul,

    The ping responses are definitely coming from the UTM because if I disable my firewall rule for ICMP [T08/C00] Echo Request all pings fail.

  • 0 in reply to Awarre

    Have you tried a packet capture on the UTM when the timestamp requests are successful?

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
Unfiltered HTML