Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
abmas
New Contributor

How to block ICMP Type 3 Code 3 messages : udp port 161 unreachable

Hi,

I need to block just ICMP Type 3 Code 3 messages (port unreachable) getting from PC1. 

PC1==Port4--[FGT-300D]--Port1==PC2

I have created a custom Service ICMP_type3_code3 ans a policy to deny traffic from PC1 to PC2. But still those ICMP are allowed.

The command : diagnose sniffer packet any "host PC1 and PC2" 4

shows the message "port1 out PC1 -> PC2: icmp: PC1 udp port 161 unreachable"

 

I have the same result when I denied ICMP_ALL.

 

Can anyone lt me know ho fix that, please ?

 

Many tnaks.

Abmas

4 REPLIES 4
emnoc
Esteemed Contributor III

the cli diag debug flow is your best friend. This will ensure your fw-policy and  the right matching ingress/egress interfaces are actually matched.

 

PCNSE 

NSE 

StrongSwan  

PCNSE NSE StrongSwan
jhouvenaghel_FTNT

Hello,

 

This ICMP packet is to reply to a udp packet port 161 received by PC1. So there is first a udp session open on FGT by this udp packet coming from PC2 and this ICMP reply is part of this session. When received by the FGT, the FGT will look inside the ICMP packet, will find the UDP header/payload inside this ICMP packet  and it will match an existing session. So it will go through the FGT. You can not block this packet with a deny policy from port4 to port1 as it is a reply packet to an existing session on the FGT

 

Thanks

ede_pfau

But if you blocked udp/161, wouldn't the ICMP messages stop then? Depends on which device generates the message, and I think it's the second PC which refuses requests to udp/161 and replies with "port unreachable".

Ede Kernel panic: Aiee, killing interrupt handler!
Ede Kernel panic: Aiee, killing interrupt handler!
emnoc
Esteemed Contributor III

I agreed with the later response ( ede )

 

I believe you have another means for dropping these icmp.types ( via a IPS custom signature )  but controlling the traffic flow via the firewall.policy is the correct and smart way and kills the problem at the root.

 

Ken

PCNSE 

NSE 

StrongSwan  

PCNSE NSE StrongSwan
Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors