topic Re: Bcast/Mcast ICMP not allowed when configured as best practices in ExtremeWireless (WiNG)

Bcast/Mcast ICMP not allowed when configured as best practices

Aviv_Kedem — Sun, 02 Feb 2020 17:47:59 GMT

Hello community,

AP7532 versions: 5.9.1.4 - 5.9.3.3

Receiving many logs: %DATAPLANE-4-DOSATTACK: BAD_PACKET: Bcast/Mcast ICMP not allowed

But I had disabled it in the firewall policy (from best practices) :

show running-config firewall-policy default include-factory | include broadcast-multicast-icmp

no ip dos broadcast-multicast-icmp

Why the messages are still appears ?

Thanks

Aviv

Re: Bcast/Mcast ICMP not allowed when configured as best practices

vanelm — Sun, 02 Feb 2020 18:14:47 GMT

Hi Aviv,

Please check that

1. AP/profile using mentioned firewall-policy

2. Firewall is enabled

Regards,

Misha

Re: Bcast/Mcast ICMP not allowed when configured as best practices

Aviv_Kedem — Sun, 02 Feb 2020 18:48:49 GMT

Hello Misha,

show running-config firewall-policy default include-factory from AP:

no ip dos smurf
no ip dos twinge
no ip dos invalid-protocol
no ip dos router-advt
no ip dos router-solicit
no ip dos option-route
no ip dos ascend
no ip dos chargen
no ip dos fraggle
no ip dos snork
no ip dos ftp-bounce
no ip dos tcp-intercept
no ip dos broadcast-multicast-icmp
no ip dos land
no ip dos tcp-xmas-scan
no ip dos tcp-null-scan
no ip dos winnuke
no ip dos tcp-fin-scan
no ip dos udp-short-hdr
no ip dos tcp-post-syn
no ip dos tcphdrfrag
no ip dos ip-ttl-zero
no ip dos ipspoof
no ip dos tcp-bad-sequence
no ip dos tcp-sequence-past-window
ip tcp validate-rst-seq-number
ip tcp validate-rst-ack-number
ip tcp validate-icmp-unreachable
ip tcp recreate-flow-on-out-of-state-syn
ip tcp optimize-unnecessary-resends
ip dos tcp-max-incomplete high 500
ip dos tcp-max-incomplete low 200
no ip-mac conflict
no ip-mac routing conflict
flow timeout icmp 30
flow timeout udp 30
flow timeout tcp setup 10
flow timeout tcp established 5400
flow timeout tcp close-wait 10
flow timeout tcp reset 10
flow timeout tcp stateless-general 90
flow timeout tcp stateless-fin-or-reset 10
flow timeout other 30
dhcp-offer-convert
proxy-arp
firewall enable
ipv6 firewall enable
no ipv6 rewrite-flow-label
no ipv6 strict-ext-hdr-check
no ipv6 unknown-options
no ipv6 duplicate-options
no ipv6 option end-point-identification
no ipv6 option router-alert
no ipv6 option network-service-access-point
no ipv6 option strict-hao-opt-check
no ipv6 option strict-padding
no ipv6 routing-type one
no ipv6 routing-type two
ipv6 dos multicast-icmpv6 log-and-drop log-level warnings
ipv6 dos hop-limit-zero log-and-drop log-level warnings
ipv6 dos tcp-intercept-mobility log-and-drop log-level warnings
acl-logging
no stateful-packet-inspection-l2
flow dhcp stateful
alg ftp
alg tftp
no alg sip
alg dns
no alg facetime
no alg sccp
alg pptp
no logging icmp-all
no logging icmp-packet-drop
no logging malformed-packet-drop
no logging verbose
ip tcp adjust-mss 1400
clamp tcp-mss
virtual-defragmentation
no virtual-defragmentation minimum-first-fragment-length
virtual-defragmentation maximum-fragments-per-datagram 140
virtual-defragmentation maximum-defragmentation-per-host 8
virtual-defragmentation timeout 1
dns-snoop entry-timeout 1800
no 802.2-encapsulation
no vlan-stacking
dns-snoop drop-on-parserror
proxy-nd
no ipv6-mac conflict
no ipv6-mac routing conflict

Regards,

Aviv

Re: Bcast/Mcast ICMP not allowed when configured as best practices

RobertZ — Sun, 02 Feb 2020 23:05:30 GMT

Please apply the best practice for the firewall and make sure you behave it applied to the AP profile.

FireWall Best Practice

Re: Bcast/Mcast ICMP not allowed when configured as best practices

Aviv_Kedem — Sun, 02 Feb 2020 23:20:35 GMT

Hello Robert,

It already was configured.

I think there is some bug.

These logs are appears even if the feature is disabled.

Thanks

Aviv

Re: Bcast/Mcast ICMP not allowed when configured as best practices

RobertZ — Mon, 03 Feb 2020 00:07:55 GMT

I don't recall if this was a bug in firmware 5.9.1 or 5.9.3. Since you are on very old firmware it will be beneficial for you to upgrade to current firmware version 5.9.7 and retest.

Re: Bcast/Mcast ICMP not allowed when configured as best practices

Aviv_Kedem — Mon, 03 Feb 2020 17:07:50 GMT

Hello Robert,

I’ll test it.

Thanks