Does ICMP have ports

Mike Gannon schrieb:

 

I was asked to evaluate a firewall rule before it was implemented (OK yeah confession time a work question)

 

I'd like to ask the community for a bit of advice. Why is this rule being allowed.

 

I've done the cursory Google search and found very little on it. But can someon explain why specifically TCP/UDP port 7.

What exactly is the firewall rule? ICMP has no ports and is neither TCP nor UDP. ICMP is IP protocol 1 (see RFC792), TCP is IP protocol 6 (described in RFC793) and UDP is IP protocol 17(see RFC768). UDP and TCP have ports, ICMP has no ports, but types and codes. I would say: don't filter ICMP until you know exactly what you are doing. Do you remember the issues when DSL was introduced and some servers were not reachable anymore via DSL connection but were reachable via the proxy-server of the ISP? The reason for that effect was wrong ICMP filtering on the "server site" firewall: thoses firewalls have filtered out ICMP "fragmentation needed" packets, and the servers were configured to do PMTUD (which is best common pratice since many years). PMTUD (Path MTUDiscovery) relies on receiving ICMP "fragmentation needed" packets, if the MTU for the complete way between source and destination has a lower MTU than the MTU between source and next hop. The server sends his data with "don't fragment bit" set and reduces the MTU for sent packets to that specific destination, if it receives "fragmentation needed" ICMP packets from some device "on the way". If there is a device on the way, that throws away that ICMP "fragmentation needed" packets, the server resends the dropped packets, that are too large to reach the destination without fragmentation, again and again with the same high MTU, and they will be dropped again and again ...

If you really want to filter ICMP. do never filter ICMP unreachables. I would prefer to never filter ICMP at all (but you may ratelimit ICMP). ICMP filtering will (in my opinion) not lead to much more security, but it will make it much harder to find misconfigurations and reasons for network issues. In my opinion the disadvantages of filtering ICMP are much more than the advantages doing so ...