Menu
What's new
By:
Filters Better Search

How does Asus merlin handle ICMP redirects if "Respond ping request from WAN" is enabled?

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

R

reerden

Regular Contributor
According to this post by Rmerlin: http://www.snbforums.com/threads/block-ping-all-icmp.14269/ ,

the option "Respond ping request from WAN" adds a firewall rule allowing all ICMP packets when enabled. How does the firmware handle ICMP redirects when this is enabled? Does it only allow ICMP redirects from the default gateway or all sources? Isn't this a security risk or is this type of ICMP message still blocked?
 
reerden said:
According to this post by Rmerlin: http://www.snbforums.com/threads/block-ping-all-icmp.14269/ ,

the option "Respond ping request from WAN" adds a firewall rule allowing all ICMP packets when enabled. How does the firmware handle ICMP redirects when this is enabled? Does it only allow ICMP redirects from the default gateway or all sources? Isn't this a security risk or is this type of ICMP message still blocked?
Click to expand...

That stuff is handled by iptables and the kernel, not the firmware. So whatever behaviour would be what Linux does by default.
 
I like this option, it adds a specific accept rule fo external pings to the router itself only

Code: 
ASUSWRT-Merlin RT-N66U_3.0.0.4 Fri Jul 17 03:15:20 UTC 2015
admin@RT-N66U:/tmp/home/root# iptables -nvL
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target     prot opt in     out     source               destination
1023 51987 DROP       all  --  eth0   *       0.0.0.0/0            0.0.0.0/0           state INVALID
559K   69M ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0           state RELATED,ESTABLISHED
  262 49053 ACCEPT     all  --  lo     *       0.0.0.0/0            0.0.0.0/0           state NEW
95146   15M ACCEPT     all  --  br0    *       0.0.0.0/0            0.0.0.0/0           state NEW
  487  162K ACCEPT     udp  --  *      *       0.0.0.0/0            0.0.0.0/0           udp spt:67 dpt:68
312K 8741K ACCEPT     icmp --  *      *       0.0.0.0/0            0.0.0.0/0

Why so many?

 
RMerlin said:
That stuff is handled by iptables and the kernel, not the firmware. So whatever behaviour would be what Linux does by default.
Click to expand...

Thanks. I'm not sure, but from what I've read, Linux by default only allows ICMP redirects coming from the default gateway.

Also, do I need to have the respond to ping request enabled if I'm hosting something like a game server, for things like path MTU? I've also read that Linux doesn't respond to path MTUs by default so it seems enabling this option does nothing to help that but I'm not sure.
 
You must log in or register to reply here.

Similar threads

S
Problems accessing home network from external networks.
Replies
8
Views
776
Shaggy1
S
D
Asus GT-AX11000 - Dual WAN Issues - Does Merlin Resolve?
Replies
17
Views
943
Ranger802004
R
D
Modem loses connection when gaming with rt-ax3000 v2
Replies
17
Views
1K
Deleted member 89206
D
A
ASUS Dual WAN Failover, Then Failback, Leaves Secondary LAN in "Hot Standby"
Replies
4
Views
687
Kingp1n
K
D
questions about building wireless mesh LAN
Replies
13
Views
809
drinkingbird
drinkingbird
Similar threads
Thread starter Title Forum Replies Date
Coldblackice Does ASUS Merlin's QoS consider DSCP? Asuswrt-Merlin 6
D [ASUS AX86U Merlin] Blink Sync Module does not connect (connects to iphone hotspot) Asuswrt-Merlin 0
D Asus GT-AX11000 - Dual WAN Issues - Does Merlin Resolve? Asuswrt-Merlin 17
J How does Asus or Asus Merlin source the device name under the System Log, Wireless Log Tab? Asuswrt-Merlin 32
A LAN - IPTV - what does it do, and how to reproduce it on other than asus devices? Asuswrt-Merlin 1
G Device list does not display devices Asuswrt-Merlin 2
fffddd URL filtering in the firewall does not take effect Asuswrt-Merlin 7
B Solved Client list in Network Map is empty and changing the System Log verbosity in the web GUI does nothing Asuswrt-Merlin 7
L Does the latest AsusWRT/Merlin FW has a memory leak? Asuswrt-Merlin 20
G network map does not get refreshed Asuswrt-Merlin 7

Similar threads

Latest threads

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!

Members online

Total: 688 (members: 23, guests: 665)
Top