icmp allowed by cert or ??? only?

I have several hundred logging devices out in the field which need to send an icmp request now and then to their home server.

I know I could limit icmp using IPs but I don't know the logger IPs since they would be getting it from a dhcp server.

How could I block icmp to only those devices and nothing else?
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

DHCP server keeps list of issued addresses, or has a IP range it issues. Import either to iptables and you are fine.
Dave HoweSoftware and Hardware EngineerCommented:
Is there something you could put in the payload to distinguish the ICMP traffic you want to allow from the general background noise?

For that matter - if its just a ping, do you really care that much? I know zonealarm made a big fuss about "stealth" and blocking pings, but on the whole, its not usually a big deal if your IP is pingable.
projectsAuthor Commented:
Gheist: Not sure what you mean. Can you explain please.

Dave, I could put something in the payload and in fact, the first connection from the device is always using curl https. Perhaps this is the key?

You are right that icmp should not be a big issue but my thinking is that there will be many connections as it is and my server won't know what is legit and not so when I am trying to block bad traffic, I won't be able to as easily. If for example someone was trying to use icmp to cause problems, I could not respond by disabling icmp.
How do you know if your security is working?

Protecting your business doesn’t have to mean sifting through endless alerts and notifications. With WatchGuard Total Security Suite, you can feel confident that your business is secure, meaning you can get back to the things that have been sitting on your to-do list.

Maximum extent of "these devices" is all addresses handed out by your DHCP server.
Yse that address range for blocking/passing.
Dave HoweSoftware and Hardware EngineerCommented:
You could certainly use the fact that the first connection is curl - this is commonly called "port knocking" or a "knock sequence" - using a connection on one port to trigger a rule to allow other traffic (Cisco ASAs can even do that out of the box these days).

But that just makes me even more curious as to why the nodes even need to do ICMP if they are already able to confirm your server is there with the tcp/443 handshake.  Further, ICMP usually has a payload that is not processed by the recipient (this is commonly used and abused for Wake on Lan, to give one example) although some ICMP traffic (type 5 "redirect" packets usually quote the packet they are relevant to, to give another example)

"out in the field" and the fact the OP is concerned about inbound ICMP from the internet implies these are on other (customer) LANs, so odds are good many have the same local address (probably RFC1918) and are NATted to a public IP for that customer.  Its possible I am wrong, but it seems the most probable setup.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
projectsAuthor Commented:
gheist. All devices are on internet, not dhcp addresses.

Correct Dave, no dhcp.
I cannot get into complete specifics and your answer is interesting but the curl and icmp connections are separate. However, this gives me an idea for a solution based on what you've said so I will award.

Thank you very much.
but I don't know the logger IPs since they would be getting it from a dhcp server.
Come on.
projectsAuthor Commented:
Why would you be upset? Dave made the correct assumption that's all.

>I know I could limit icmp using IPs but I don't know the logger IPs since
>they would be getting it from a dhcp server.

If I knew which dhcp servers they were getting their IPs from and was controlling them, I would not need to find a way of preventing hackers since that implies all would be in some closed network.

Each client will be getting it's IP from some local dhcp server on networks all over the place, which I have no control over.

Hope this clears it up.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Linux Networking

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.