Checkpoint FW-1, Version 4.0 and 4.1

Using the INSPECT language to implement stateful ICMP messages

Introduction
How does it work?
How to apply the patch?
How to use it?
Patch limitation (or features)
License
Files modified

Introduction

Checkpoint FW-1 has built-in rules to handle TCP and UDP connections in a stateful way. Unfortunately, ICMP is not covered by the built-in rules.

ICMP is mainly used in two situations:

Debugging: using the ping command to send ICMP echo-request and receive ICMP echo-reply, to check that a host is alive.
Error handling: ICMP is the error handling protocol for IP. ICMP error messages are very important for healthy IP connection.

In this example, I want to offer two new optional features:

Allowing ping in a stateful way, where an ICMP echo-reply message will be accepted only if we saw it before and ICMP echo-request matching the same IP addresses.
Allowing ICMP error messages only if they have a normal size and if they are related to an existing TCP/UDP or ICMP connection.

This code is provided as an example, under a BSD style license. Feel free to modify it to reflect your needs.
Comments, flames or suggestions about this code are welcome. Please, send question not directly related to this code to the FW-1 DL.

How does it work?

For this section, it is important to understand how the prologue field defined on the User Defined Service Properties works. When you type an INSPECT command in the prologue field of an active service, this command will be executed in the prologue section, which means before the rule set is executed, and for any packet. Some good example of prologue code are provided in the $FWDIR/lib/base.def file.

Stateful ping:

Each ICMP echo-request accepted will be recorded in a new dynamic table as an existing ICMP connection.

RECORD_CONN

$FWDIR/lib

RECORD_CONN

accept

RECORD_CONN

Then, in a prolog section, we accept ICMP echo-reply message if they match a recorded connection. The matching is done on the IP addresses (src = dst recorded, dst = src recorded) but also on the icmp_id and icmp_seq field. There is no limitation on the size of ICMP ping message, but when an ICMP echo-reply message match an existing entry, we delete this entry to limit replies to one ICMP echo-reply message for each ICMP echo-request message. Note that it will limit ping requests send to a local broadcast.

For the ICMP stateful error messages:

If its size is greater than 112 bytes, it will be dropped ,as there is no reason to ever received a larger ICMP error message. An explanation for the magical 112 number can be found on the TCP/IP Illustrated volume I page 79. In addition to the IP header (20 bytes) and the ICMP header (8 Bytes), an ICMP destination-unreachable message adds at least the IP header of the original IP datagram that generated the error (20 bytes) plus at least the 8 first bytes of its data portion.
Most BSD implementation will returned 8 bytes exactly, but Solaris will return the 64 first bytes :-) Which makes a total of 20 + 8 + 20 + 64 = 112 . Note that we always assume that the IP header is exactly 20 bytes, which means no options are used.
An ICMP error message is required to include in its data part, the IP header of the packet which had generated this error. If this included IP header matches an existing TCP/UDP or ICMP connection, the packet will be accepted.
If none of these checks matches the packet, nothing is done, and the ruleset will be applied normally.

See the file icmpstate.def for more details. The patch will include icmpstate.def on the base.def file.

How to apply the patch?

BACKUP your $FWDIR, especially the $FWDIR/lib as files will be modified.
Turn OFF the dangerous Accept ICMP property.
Download the file PatchICMP from http://yassp.parc.xerox.com/fw1/PatchICMP
verify it's PGP signature http://yassp.parc.xerox.com/fw1/PatchICMP.asc with my PGP key
check that the variable $FWDIR is setup or change directory to your $FWDIR/lib directory. (You may want to copy your $FWDIR/lib to a test directory, cd to it, and apply first the path to this test directory to verify what files are changed and how)
run the patch : sh PatchICMP

Note: The PatchICMP is a set of sed script, trying to do the right thing on the version (4.0 SP3, 4.1) I have tested. You may want, instead of running it, to read it and manually apply the changes, especially if you have a customize version of base.def or fwui_head.def.

Reapply your ruleset. Nothing has changed yet as the patch is not turned on by default. It should compile and install ok.

How to use it?

Edit $FWDIR/lib/fwui_head.def and uncomment the line which defined ICMPSTATE. It will enable to new code to run.
In your ruleset, define a new service named for example pingstateful, type other

in the match tab type icmp, icmp_type=ICMP_ECHO In your object file, it will looks like:


		: (pingstateful
			:color ("dark orchid")
			:type (Other)
			:comments ("Stateful ICMP")
                        :exp ("icmp, icmp_type=ICMP_ECHO")
                        :prolog ("ping_stateful_eitherbound;")
			:prematch ()
		)

in the prolog tab type ping_stateful_inbound or ping_stateful_outbound or ping_stateful_eitherbound depending on the direction you choose to apply your gateway rule on the properties setup window.
Create a rule <from> your network <Destination> Any <service>pingstateful <Action> accept <Track> Long
Re-apply your policy.

At this step, stateful ping is allowed from your network to any network. Up to you to refine that rule.

For enabling ICMP stateful error, add icmperror_stateful in the prolog of an active service defined as other services. For example, in a firewall where the property Apply Gateway Rules to Interface Direction matched Eitherbound, and if you have defined the pingstateful service as explained above, use the following prologue to enable stateful ping and ICMP stateful error messages :
ping_stateful_eitherbound; icmperror_stateful;. In your object file, it will looks like:


		: (pingstateful
			:color ("dark orchid")
			:type (Other)
			:comments ("Stateful ICMP")
                        :exp ("icmp, icmp_type=ICMP_ECHO")
                        :prolog ("ping_stateful_eitherbound; icmperror_stateful;")
			:prematch ()
		)

If you are running 4.1, which has the option of logging the packet accepted by the implied rules, and if this option is checked, then all ICMP packets accepted by the two prolog functions will be logged.
If you want to see really what's going on, uncomment the line defining ICMPSTATEDEBUG in $FWDIR/lib/fwui_head.def and everything will be logged.

Patch limitation (or features)

Without ICMPSTATEDEBUG defined, on a FW-1 were the option of loggin implies rules is not turn on, ICMP echo-reply or ICMP error messages will fly through your FW without being logged, just as a ftp call back connection is not logged by default. Forcing them to be logged is easily done by editing icmpstate.def.
No more than one echo-reply for one echo-request. Ping to a (local) will generate only one reply, the others will be dropped and logged.
All the ICMP error messages have a size limited to less than 112 bytes.
The icmperror_stateful prolog, if enable, will be applied to any existing connections. Restricting ICMP error to specific src or dst need a (simple) code editing of icmpstate.def.
ICMP error will fly only for TCP, UDP or ICMP connections. Other IP protocols like IPsec are not recorded as connection by the FW-1 state engine. ICMP packets related to these others IP protocols will not be accepted by this extension.
the default timeout for the dynamic table recording the ICMP connection is set to 60 seconds.
Too bad INSPECT is so poorly documented. It's a very powerful language. Please share your INSPECT code.

License

 
ICMP INSPECT SCRIPT
      This code is under BSD license:
 Copyright (c) 2000, Jean Chouanard , Xerox - PARC
      All rights reserved.

      Redistribution and use in source and binary forms, with or without modification, are 
      permitted provided that the following conditions are met:

           Redistributions of source code must retain the above copyright notice, this list 
           of conditions and the following disclaimer.

           Redistributions in binary form must reproduce the above copyright notice, this list 
           of conditions and the following disclaimer in the documentation and/or other
           materials provided with the distribution.

           Neither name of the Xerox-PARC nor the names of its contributors may be used to 
           endorse or promote products derived from this software without specific
           prior written permission. 

      THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS ``AS IS'' AND ANY 
      EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES 
      OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL 
      THE REGENTS OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, 
      EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF 
      SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
      HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, 
      OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
      THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 


 This code is originally based of Checkpoint stateful_icmp function defined in base.def
 and from the code of William D. Burns (shadow@netscape.com), 
              http://people.netscape.com/shadow/work/inspect/index.html

 It was modify to:
      - restrict ICMP request to echo-request
      - restrict ICMP replies to echo-reply
      - check the icmp sequence (From the code of William D. Burns)
      - Delete entries from the icmp table when a match is found
        to limit ICMP reply to *one* packet (From the code of William D. Burns)
      - the recording of the outgoing accepted ICMP request in the ICMP connection table is 
        done in the CONN_RECORD macro so that only accepted request will be recorded.
      - Offer to accept ICMP error code related to existing UDP TCP or ICMP connections
        as an option

Modified files

$FWDIR/lib/fwui_head.def is modified to include near its beginning the following commented lines explaining and defining the two variables used:

+ //
+ // The Following are use to control the ICMP Stateful code:
+ // ICMPSTATE: if not defined, no change are done to the existing code
+ // ICMPSTATEDEBUG: will print extra logs useful for debugging
+ //
+ // #define ICMPSTATE
+ // #define ICMPSTATEDEBUG
+

$FWDIR/lib/base.def is modified to include $FWDIR/lib/icmpstate.def and to add one case in the RECORD_CONN
RECORD_CONN deffunc looks like: (the line starting with a '+' are new line)


+ #ifdef ICMPSTATE
+ #include "icmpstate.def"
+ #endif /* ICMPSTATE */
+ 
+ 
deffunc RECORD_CONN(rule) {
#ifdef TCP_FASTMODE_ACTIVE
	(tcp, dport in tcp_fastmode_services)
		or
#endif
	(
		(
			(rule & 0xffffff00) = 0xffffff00,
			set sr3 ((sr3 & 0xffff00ff)|((rule & 0x000000ff) << 8)),
			set sr4 0
		) or (
			set sr3 (sr3 | 0x0000ff00),
			set sr4 rule
		),
#ifndef NO_ENCRYPTION_FEATURES	
		ACCEPT_CLIENT_ENCRYPTION(sr4)
			or		
#endif
		(<conn> in connections)
			or
		(<rconn> in connections)
			or
#ifndef NO_ENCRYPTION_FEATURES	
#if ACCEPT_DECRYPT_ENABLE
		(direction = 0, ACCEPT_DECRYPT(sr4))
							or
		(
#else
		(IS_NOT_DECRYPTED(sr4),
#endif	
#else
		(
#endif
			(tcp,		
				(	
				 	established, WAS_ENCRYPTED, drop	
				) or (
					tcp_record_ok,
					NOT_TCP_FASTMODE_PORT(sport,sr4) or reject,
					(NEED_MORE_INSPECTION(dport),
					set sr3 (sr3 | MORE_INSPECTION)) or (1),
					set r_cdir 1,
					set r_ckey 0,
					set r_ctype CONN_TCP,
					set r_cflags (sr3|SPOOF_CACHE_EMPTY),
					record <conn;r_ckey,r_ctype,r_cflags@TCP_START_TIMEOUT> in connections
			 	)								
			)			
								or	
			(udp,						
			 	(					
					WAS_ENCRYPTED, drop		
				) or (
					ip_len >=28,
				 	(NEED_MORE_INSPECTION(dport), 
					set sr3 (sr3 | MORE_INSPECTION)) or (1),
					set r_cdir 1,
					set r_ckey 0,
					set r_ctype (CONN_UDP | _UDP_ESTABLISHED),
					set r_cflags (sr3|SPOOF_CACHE_EMPTY),
					UDP_RECORD(conn,r_ckey,r_ctype,r_cflags),
				 	(
					 	<udpconn> in connections
					 			or
						(
							direction = 1 or set r_ctype CONN_UDP,
							UDP_RECORD(udpconn,r_ckey,r_ctype,r_cflags)
						)
					)
				)							
			)								
+ #ifdef ICMPSTATE
+                                                               or
+                       (icmp,
+                               (
+                                       WAS_ENCRYPTED, drop
+                               ) or    (
+                                               ip_len >= 32,
+                                               icmp_type in icmp_allow_requests,
+                                               record <src,dst,icmp_id,icmp_seq> in icmp_requests_connections
+ #ifdef ICMPSTATEDEBUG
+                                               , log icmp_recorded_form 
+ #endif
+                                       )
+ 
+                       )
+ #endif /* ICMPSTATE*/
								or			
							   (1)
		)
	)
};

$FWDIR/lib/formats.def

+ 
+ 
+ #ifdef ICMPSTATEDEBUG
+ icmp_recorded_form = format {
+       <"DEBUG Recording ICMP proto", proto, ip_p>,
+       <"src", ipaddr, src>,
+       <"dst", ipaddr, dst>,
+       <"icmp_id", hex, icmp_id>,
+       <"icmp_seq", hex, icmp_seq>,
+       <"icmp-type", hex, [(IPHLEN):1]>,
+       <"icmp-code", hex, [(IPHLEN+1):1]>,
+       <"h_len", int, IPHLEN>,
+       <"ip_len", int, ip_len>,
+       <"ip_vers", int, ip_hl / 16>,
+       <"rule", rule, sr1>
+ };
+ icmp_denied_form = format {
+       <"DEBUG ICMP not on the table proto", proto, ip_p>,
+       <"src", ipaddr, src>,
+       <"dst", ipaddr, dst>,
+       <"icmp_id", hex, icmp_id>,
+       <"icmp_seq", hex, icmp_seq>,
+       <"icmp-type", hex, [(IPHLEN):1]>,
+       <"icmp-code", hex, [(IPHLEN+1):1]>,
+       <"h_len", int, IPHLEN>,
+       <"ip_len", int, ip_len>,
+       <"ip_vers", int, ip_hl / 16>,
+       <"rule", rule, sr1>
+ };
+ icmp_allowed_form = format {
+       <"DEBUG allowed ICMP proto", proto, ip_p>,
+       <"src", ipaddr, src>,
+       <"dst", ipaddr, dst>,
+       <"icmp_id", hex, icmp_id>,
+       <"icmp_seq", hex, icmp_seq>,
+       <"icmp-type", hex, [(IPHLEN):1]>,
+       <"icmp-code", hex, [(IPHLEN+1):1]>,
+       <"h_len", int, IPHLEN>,
+       <"ip_len", int, ip_len>,
+       <"ip_vers", int, ip_hl / 16>,
+       <"rule", rule, sr1>
+ };
+ icmp_deleted_form = format {
+       <"DEBUG Allow ICMP reply and deleted it proto", proto, ip_p>,
+       <"src", ipaddr, src>,
+       <"dst", ipaddr, dst>,
+       <"icmp_id", hex, icmp_id>,
+       <"icmp_seq", hex, icmp_seq>,
+       <"icmp-type", hex, [(IPHLEN):1]>,
+       <"icmp-code", hex, [(IPHLEN+1):1]>,
+       <"h_len", int, IPHLEN>,
+       <"ip_len", int, ip_len>,
+       <"ip_vers", int, ip_hl / 16>,
+       <"rule", rule, sr1>
+ };
+ #endif /* ICMPSTATEDEBUG */
+

$FWDIR/lib/icmpstate.def is created. It implements the prolog functions and declares dynamics tables in use.

Home

$Id: icmp.html,v 1.19 2000/07/05 02:16:46 jean Exp $; Jean Chouanard, Xerox PARC