El Internet Control Message Protocol (ICMP) is a network layer protocol used to send control and error messages between devices on a network.
ICMP is an important protocol for the functioning of the Internet and is used for a variety of purposes, including:
At the end of the article you will find a small test that will allow you assess the knowledge acquired in this reading
error detection
ICMP is used to detect errors in data transmission. For example, if an IP packet is lost or corrupted, the sender can send an ICMP message to the recipient to inform them of the error.
Network diagnostics
ICMP is used to diagnose network problems. For example, you can use the “ping” command to send an ICMP message to a remote device to check if it is available.
Network management
ICMP is used for network management. For example, it can be used to send status notifications or to configure network devices.
ICMP is based on the IP protocol and uses the same headers as IP. The ICMP header has a type field that identifies the type of ICMP message.
Message types
There are many different types of ICMP messages, each serving a different purpose. Some of the most common ICMP message types include:
Echo request/reply
These messages are used to verify the availability of a remote device.
Destination unreachable
These messages are used to inform the sender that an IP packet could not be delivered to the destination.
Time exceeded
These messages are used to inform the sender that an IP packet took too long to reach its destination.
ICMP is an important protocol for the functioning of the Internet. By understanding the concept of ICMP, you can help keep your network secure and functional.
ICMP filter
Having an ICMP filter on the MikroTik RouterOS firewall is important for several reasons, including:
- Safety: ICMP messages can be used to conduct cyber attacks, such as denial of service (DoS) attacks, ping flood attacks, and traceroute attacks. ICMP filtering can help block this malicious traffic.
- Performance: Unnecessary ICMP traffic can overload the network and reduce performance. ICMP filtering can help reduce this unnecessary traffic.
- Privacy: ICMP messages can be used to collect information about your network, such as the topology of your network and the availability of your devices. ICMP filtering can help protect your privacy.
Here are some specific examples of how an ICMP filter in MikroTik RouterOS can help you protect your network:
- It can block echo (ping flood) attacks that are used to overload your network with ICMP messages.
- You can block traceroute attacks that are used to collect information about your network.
- You can block unnecessary ICMP messages, such as return echo messages, that can overload your network.
It is important to configure the ICMP filter appropriately so that it does not block legitimate traffic. You should consider your specific needs and the security risks your network is exposed to.
Tips to configure the ICMP filter in MikroTik RouterOS
- Start with a simple configuration and then add additional rules as needed.
- Use tags to organize your ICMP filter rules.
- Use advanced filtering mode to gain more control over which ICMP traffic is allowed or blocked.
On MikroTik routers with RouterOS, you can manage ICMP (Internet Control Message Protocol) related settings, including ping settings and other related functions.
Types of ICMP Messages
ICMPv4 Message | Source from Device | Through Device | Destined to Device |
ICMPv4-unreach-net | Rate Limit | Rate Limit | Rate Limit |
ICMPv4-unreach-host | Rate Limit | Rate Limit | Rate Limit |
ICMPv4-unreach-proto | Rate Limit | Deny | Rate Limit |
ICMPv4-unreach-port | Rate Limit | Deny | Rate Limit |
ICMPv4-unreach-frag-needed | Send | permit | Rate Limit |
ICMPv4-unreach-src-route | Rate Limit | Deny | Rate Limit |
ICMPv4-unreach-net-unknown (Depr) | Deny | Deny | Deny |
ICMPv4-unreach-host-unknown | Rate Limit | Deny | ignore |
ICMPv4-unreach-host-isolated (Depr) | Deny | Deny | Deny |
ICMPv4-unreach-net-tos | Rate Limit | Deny | Rate Limit |
ICMPv4-unreach-host-tos | Rate Limit | Deny | Rate Limit |
ICMPv4-unreach-admin | Rate Limit | Rate Limit | Rate Limit |
ICMPv4-unreach-prec-violation | Rate Limit | Deny | Rate Limit |
ICMPv4-unreach-prec-cutoff | Rate Limit | Deny | Rate Limit |
ICMPv4-quench | Deny | Deny | Deny |
ICMPv4-redirect-net | Rate Limit | Deny | Rate Limit |
ICMPv4-redirect-host | Rate Limit | Deny | Rate Limit |
ICMPv4-redirect-tos-net | Rate Limit | Deny | Rate Limit |
ICMPv4-redirect-tos-host | Rate Limit | permit | Rate Limit |
ICMPv4-timed-ttl | Rate Limit | permit | Rate Limit |
ICMPv4-timed-reass | Rate Limit | permit | Rate Limit |
ICMPv4-parameter-pointer | Rate Limit | Deny | Rate Limit |
ICMPv4-option-missing | Rate Limit | Deny | Rate Limit |
ICMPv4-req-echo-message | Rate Limit | permit | Rate Limit |
ICMPv4-req-echo-reply | Rate Limit | permit | Rate Limit |
ICMPv4-req-router-sol | Rate Limit | Deny | Rate Limit |
ICMPv4-req-router-adv | Rate Limit | Deny | Rate Limit |
ICMPv4-req-timestamp-message | Rate Limit | Deny | Rate Limit |
ICMPv4-req-timestamp-reply | Rate Limit | Deny | Rate Limit |
ICMPv4-info-message (Depr) | Deny | Deny | Deny |
ICMPv4-info-reply (Depr) | Deny | Deny | Deny |
ICMPv4-mask-request | Rate Limit | Deny | Rate Limit |
ICMPv4-mask-reply | Rate Limit | Deny | Rate Limit |
Examples of ICMP filters?
The following ICMP rules are the types of messages that should generally always be available:
/ip firewall filter
add action=jump chain=forward jump-target=icmp
add action=accept chain=icmp comment="echo reply" icmp-options=0:0 protocol=icmp
add action=accept chain=icmp comment="net unreachable" icmp-options=3:0 protocol=icmp
add action=accept chain=icmp comment="host unreachable" icmp-options=3:1 protocol=icmp
add action=accept chain=icmp comment="host unreachable fragmentation required" icmp-options=3:4 protocol=icmp
add action=accept chain=icmp comment="allow source quench" icmp-options=4:0 protocol=icmp
add action=accept chain=icmp comment="allow echo request" icmp-options=8:0 protocol=icmp
add action=accept chain=icmp comment="allow time exceed" icmp-options=11:0 protocol=icmp
add action=accept chain=icmp comment="allow parameter bad" icmp-options=12:0 protocol=icmp
add action=drop chain=icmp comment="deny all other types"
These are just examples and it is important to adapt the configuration according to your specific needs and network topology.
Remember to be careful when limiting ICMP traffic, as it can affect the network's diagnostic capabilities.
Be sure to test and validate any changes in a test environment before deploying them to a production environment.
Brief knowledge quiz
What do you think of this article?
Do you dare to evaluate your learned knowledge?
Recommended book for this article
RouterOS v7 Advanced Security Book
Study material for the MTCSE Certification Course, updated to RouterOS v7
Related Posts
- MikroTik IPSec: Choose between Tunnel Mode and Transport Mode for VPN
- Between Stateful and Stateless: Mastering the MikroTik Firewall
- How to Block HTTPS Sites Effectively with MikroTik TLS Host
- MikroTik and Wireless Authentication: Understanding 'Allow Shared Key'
- HSRP, VRRP, GLBP: Understanding Key Protocols for Network Redundancy