OPNsense Forum

Archive => 18.1 Legacy Series => Topic started by: indyspeed on May 21, 2018, 07:42:16 pm

Title: ICMP Packet Too Big missing in Firewall Rules
Post by: indyspeed on May 21, 2018, 07:42:16 pm
Is it possible to add the ICMP (Type 2) - Packet Too Big type in the firewall rules pull down?  I see a lot of the other typical types such as destination unreachable, time exceeded, parameter problem, echo reply/request, and etc.  Packet Too Big would be very helpful because it is required for IPv6 MTU path discovery.  I'm trying to filter the ICMP types to reduce the attack vector on downstream devices.  I'm just missing this one type for IPv6 to accomplish that task.  I did upgrade the box from 18.1.6 to 18.1.8, and a lot of things work better for sure!!  But this ICMP type is still missing from the pull down, and I know that I can not make changes directly to the /tmp/rules.debug file.  They must be auto-generated because on reboot and etc, any changes disappear.  Thanks for any assistance!
Title: Re: ICMP Packet Too Big missing in Firewall Rules
Post by: indyspeed on May 24, 2018, 06:53:12 pm
Ok, I'm going to answer my own question to a point.  As far as RFC4890 compliance is concerned, there are two components as I understand it.  1) Making sure the hop limit is 255, and I believe freebsd has already patched that in the OS.  2) filtering specific ICMP types.  After going through the PF documentation, as near as I can tell there is no good way to do this in the BSD world.  Specifically, if you allow traffic to flow outbound, then PF will create a return rule through its state tracking.  This will allow any ICMP type to flow back regardless of the rules you have in place because the state table will be consulted before any rule processing.
1) Can anyone confirm this to be the case?
2) What is the purpose of having ICMP types defined in the GUI other than echo reply or request?  The reason why I ask is that the state table/rules will take precedence, so in most cases ICMP filtering via rules will actually be bypassed.
3) How does anyone comply with RFC4890 with freebsd based systems?  At least from an ICMP filtering perspective...