PF What are the optimal ICMP rules in pf.conf (for a web + mail server)?

dbdemon · Jul 22, 2023

In /etc/pf.conf I currently have:

Code:

icmp_types = "{ echoreq unreach }"
...
pass inet proto icmp icmp-type $icmp_types
pass inet6 proto icmp6

However, I thought maybe it would be prudent to tighten up the IPv6 rule a bit, so I changed it to:

Code:

icmp_types = "{ echoreq unreach }"
icmp6_types = "{ echoreq unreach timex paramprob routeradv routersol neighbrsol }"
...
pass inet proto icmp icmp-type $icmp_types
pass inet6 proto icmp6 icmp6-type $icmp6_types

(^^ edited to fix typo as pointed out by facedebouc )

However, that gave terrible results for the web server on https://internet.nl (failed both the IPv6 and HTTPS tests). So, it seems that was too restrictive.

What would be the required icmp6-types in this case? Or, is there any harm in just allowing all of them?

facedebouc · Jul 22, 2023

dbdemon said:
In /etc/pf.conf I currently have:

Code:

icmp_types = "{ echoreq unreach }" ... pass inet proto icmp icmp-type $icmp_types pass inet6 proto icmp6

However, I thought maybe it would be prudent to tighten up the IPv6 rule a bit, so I changed it to:

Code:

icmp_types = "{ echoreq unreach }" icmp6_types = "{ echoreq unreach timex paramprob routeradv routersol neighbrsol }" ... pass inet proto icmp icmp-type $icmp_types pass inet6 proto icmp6 icmp6-type $icmp_types

However, that gave terrible results for the web server on https://internet.nl (failed both the IPv6 and HTTPS tests). So, it seems that was too restrictive.

What would be the required icmp6-types in this case? Or, is there any harm in just allowing all of them?

It seems there is a typo in the pass inet6 rule.

dbdemon · Jul 22, 2023

facedebouc said:
It seems there is a typo in the pass inet6 rule.

Ah, thank you for pointing that out. I think it must have been only when I reproduced the rule in my post above that I made the typo. I retried the internet.nl test and I now had:

Code:

pass inet6 proto icmp6 icmp6-type $icmp6_types

... and it still gave me the same terrible score.

facedebouc · Jul 22, 2023

I get 100% with the same PF rule.

Code:

# Allowed ICMP types
# The additional ICMPv6 types are for neighbor discovery (RFC 4861)
# see also  icmp6(4).
icmp_types  = "{ echoreq, unreach }"
icmp6_types = "{ echoreq, unreach, routeradv, neighbrsol, neighbradv }"

# Allow ICMP
pass inet proto icmp icmp-type $icmp_types
pass inet6 proto icmp6 icmp6-type $icmp6_types

dbdemon · Jul 22, 2023

Thanks again - adding your "neighbradv" icmp6-type gave me a good score again! So, I guess that's the one I was missing.