Yeah UDP traffic is a lot different since it’s connectionless and might be treated differently in some environments because it has been used in a lot of data theft attacks.
Rule-wise it’s identical with windows firewall. Run this with administrator privileges during installation for each port required:
If you don’t know the ports at install-time, you’d need to keep around a service that can be used to open ports on-demand (big security risk) or request admin access any time firewall changes are required.
Note: don’t keep adding the same rule over and over (they accumulate if I recall correctly).
you dont even have routability between them, but if you did, one would expect ping to work.
Not necessarily. It depends entirely on the use case. It’s not uncommon to only open one or two specific ports between network segments. The idea is to keep the attack surface to a minimum. Even ping can be an attack vector (ping of death and ping flood for example).
Deny by default, defense in depth, and minimal attack surface, are all good strategies for security.
If you don’t want that level of security then you can reconfigure.
It’s not just about ICMP I am talking about it’s about all the traffic from untrusted to trusted network. Also I wasn’t just referring to a vendor obtaining details of your network, but what if they already have a backdoor in these devices (some of these Chinese ones have) or if the vendor networks get compromised and the attacker could get all their user information including these backdoor access? Won’t they also gain access to your entire routed LAN as it doesn’t have any isolation (network or host level)?
For your use case you may think it as a right thing to trust all LAN traffic, but for others it may not be. Again blocking ping is not a bad behaviour, icmp pings can be used to gather a lot of information (like latency, network hops, mtu etc).
As for the VPN terminating on the same device, do you have that configured as a public network or private network in the firewall?
I don’t agree with trusting all LAN network from a security standpoint. If you look into current corporate network architecture they are moving away from traditional security methods to zero trust network architecture to reduce the potential attack vectors. I am not saying evryone should be worried about devices in LAN but it is what it is, no network is 100 percent safe but you can protect 99% of it if you have a proper design/plan/procedure to keep that network secure.
If they’re really worried about ICMP, rate limit and size limit ICMP packets by default, at best. I rate limit and size limit ICMP to my router, it took 2 entries on the firewall.
This is the interception of security and availability, this is too far into the security side if you ask me because it makes ICMP completely unavailable on the end client.
I’ve used nftables and iptables and many preconfigured implementations of those firewalls from different distros and none of them exhibit this behaviour. It just feels entirely unnecessary for almost no benefit. No one is ping flooding a windows end client, maybe a server I could see this behaviour on, but this is too far for a desktop.
I think ICMP was, at one point, used as part of an exploit (beyond flooding aka smurfing).
But my memory is vague on it… I don’t think it was winnuke? I can’t recall. But I know a lot of corporate environments outright ban it because it has been used as an attack vector.