Accepted ICMP packets on the ppp0?

[userr0]

Today I found some weird entries in my log:

Mar  9 16:39:04 172.25.1.1 kernel: ACCEPT IN=ppp0 OUT= MAC= SRC=35.198.*.* DST=x.x.x.x LEN=32 TOS=0x00 PREC=0x00 TTL=59 ID=47802 PROTO=ICMP TYPE=17 CODE=0
Mar  9 16:39:05 172.25.1.1 kernel: ACCEPT IN=ppp0 OUT= MAC= SRC=35.198.*.* DST=x.x.x.x LEN=32 TOS=0x00 PREC=0x00 TTL=59 ID=47802 PROTO=ICMP TYPE=17 CODE=0
Mar  9 16:39:06 172.25.1.1 kernel: ACCEPT IN=ppp0 OUT= MAC= SRC=35.198.*.* DST=x.x.x.x LEN=28 TOS=0x00 PREC=0x00 TTL=59 ID=47802 PROTO=ICMP TYPE=15 CODE=0
Mar  9 16:39:07 172.25.1.1 kernel: ACCEPT IN=ppp0 OUT= MAC= SRC=35.198.*.* DST=x.x.x.x LEN=28 TOS=0x00 PREC=0x00 TTL=59 ID=47802 PROTO=ICMP TYPE=15 CODE=0

As far as I know, the router must block all unsolicited(?) incoming traffic, including icmp packets.
But it doesn't block icmp:

$ grep -i icmp iptsav 
:INPUT_ICMP - [0:0]
-A INPUT -p icmp -m icmp --icmp-type 8 -j INPUT_PING
-A INPUT -p icmp -j INPUT_ICMP
-A INPUT_ICMP -p icmp -m icmp --icmp-type 8 -j RETURN
-A INPUT_ICMP -p icmp -m icmp --icmp-type 13 -j RETURN
-A INPUT_ICMP -p icmp -j logaccept
-A INPUT_PING -i ppp0 -p icmp -j logdrop
-A INPUT_PING -i eth0 -p icmp -j logdrop
-A SECURITY -p icmp -m icmp --icmp-type 8 -m limit --limit 1/sec -j RETURN
-A SECURITY -p icmp -m icmp --icmp-type 8 -j logdrop

This line was cutted from the output of the iptables-save.
Could you tell me why are nearly all of icmp packets allowed?
Is it a bug? Or these packets are necessary for IPv4 to work?

 

[dave14305]

Did you enable “Respond ICMP Echo (ping) Request from WAN” on the Firewall page?

EDIT: After 2 cups of coffee, I now see that I didn’t fully understand your post. Disregard me.

 

[ColinTaylor]

Or these packets are necessary for IPv4 to work?

Yes, some types of ICMP are required (e.g. for router discovery). That's why only types 8 and 13 are explicitly dropped.

 

[userr0]

Yes, some types of ICMP are required (e.g. for router discovery). That's why only types 8 and 13 are explicitly dropped.

So... the type 15 and 17 are necessary? (AFAIK they 're deprecated)

 

[ColinTaylor]

So... the type 15 and 17 are necessary?

They may be necessary or they may not (probably not). The router doesn't know what's necessary for your particular connection. You could block them with a script if you wanted to.

 

[unsynaps]

# adjust block all ICMP traffic
if [ "$(nvram get misc_ping_x)" == "0" ]; then
    logger -t CustomScript:$FILENAME "Modifying ICMP block."
    $iptables -F INPUT_ICMP
    $iptables -I INPUT_ICMP -p icmp -j DROP
fi