OS: CentOS 7.0
Per the results of a security scan, it has been suggested that we block ICMP timestamp & timestamp reply messages using the firewall (CVE-1999-0524). I've used firewalld to set up some basic IP filtering for SSH as well as allowing HTTPS, but am stumped on this one.
The only thing I could think of was firewall-cmd --add-icmp-block
, but I can't find an icmptype
that seems to be relevant to timestamp or timestamp reply.
The available types (firewall-cmd --get-icmptypes
) are as follows:
destination-unreachable echo-reply echo-request parameter-problem redirect router-advertisement router-solicitation source-quench time-exceeded
.
How do I block ICMP timestamp requests with firewalld
?
Best Answer
firewalld
ships with a default set of predefined ICMP types you can use out of the box:The parser (
/usr/lib/python2.7/site-packages/firewall/core/io/icmptype.py
) is not limited to these types, though, and allows to be extended:First, as per
man iptables-extensions(8)
, sectionicmp
:The two types you refer are IPv4 specific, hence you should use the following to find out the appropriate names as recognized by
iptables
:Now, if you check the contents of the
firewalld
package, you'll find where the predefined ICMP types are stored:If you check the parser referenced above, you'll see it uses the XML file name as ICMP type when talking to
iptables
, so you need to write two new files for the ICMP types you want to use using the ICMP types found above. User created ICMP types should be stored in/etc/firewalld/icmptypes
.You'll end up with:
Validate them using the provided XSD:
Reload the firewall:
And finally add them:
You can check they have been added looking at the
iptables
rules directly:Types 13 and 14 are the newly added ICMP types.
For reference, you can read the
firewalld.icmptypes(5)
manpage.These ICMP types have been included upstream.