DFW Logs show ICMP Type 3 packets aligned with a firewall flow that is only configured for TCP/UDP

search cancel

DFW Logs show ICMP Type 3 packets aligned with a firewall flow that is only configured for TCP/UDP

book

Article ID: 383986

calendar_today

Updated On:

Products

VMware NSX VMware vDefend Firewall

Issue/Introduction

A DFW (Distributed Firewall) rule is configured to allow only TCP/UDP. In ESXi Logs /var/run/log/dfwpacket.logs, "ICMP type 3" packet matches the rule id associated with TCP/UDP.

Note: Its possible other specific services/protocols could be aligned with the "ICMP type 3" response, the above is just one example.

Environment

Observations noticed in all versions of NSX utilizing DFW

When DFW firewall configured similar to the below configuration which will allow TCP/UDP port only.

Note: Above lab example only allow TCP and UDP port 445.

DFW programming:

^{rule 1011 at 1 inout protocol tcp strict from addrset <UUID of dest_test_grp> to addrset <UUID of src_test_grp> port 445 accept with log;}
^{rule 1011 at 2 inout protocol udp from addrset <UUID of dest_test_grp> to addrset <UUID of src_test_grp> port 445 accept with log;}
^{rule 1010 at 3 inout protocol tcp strict from addrset <UUID of src_test_grp> to addrset <UUID of dest_test_grp> port 445 accept with log;}
^{rule 1010 at 4 inout protocol udp from addrset <UUID of src_test_grp> to addrset <UUID of dest_test_grp> port 445 accept with log;}

DFW address set for the vNIC VM Membership

_{addrset is shared for this filter}
_{global addrset}
_{addrset <UUID of dest_test_grp> {}
_{ip 10.37.200.0/24,}
_{ip 192.168.0.0/16,}
_}
_{addrset <UUID of src_test_grp> {}
_{ip 10.37.200.0/24,}
_{ip 192.168.0.0/16,}
_}

/var/run/log/dfwpacket.logs > show "ICMP 3" with no direct port attachment

^{2024-12-11T22:51:00.741Z c4bbec9e INET match PASS 1011 OUT 39 UDP 192.168.124.5/42505->192.168.125.50/445}
^{2024-12-11T22:51:00.743Z c4bbec9e INET match PASS 1011 IN 67 ICMP 3 3 192.168.125.50->192.168.124.5}

Cause

If traffic is sent to a specific TCP/UDP port and the destination port is unreachable for any reason, an ICMP "Destination Port Unreachable" message may be generated and sent back to the source. This indicates a potential issue with the port or connectivity.

^{$ sudo tcpdump -i ens192 -n}
^{15:01:03.390694 IP 192.168.124.5.54173 > 192.168.125.50.445: UDP, length 11}
^{15:01:03.390739 IP 192.168.125.50 > 192.168.124.5: ICMP 192.168.125.50 udp port 445 unreachable, length 47}

Resolution

This is expected behavior. Since an ICMP packet may include the original IP packet triggering the ICMP packet, DFW use the layer 3 and 4 information of the original packet for rule matching.

Additional Information

The two numbers follow ICMP are ICMP type and code respectively. In the example above, it is an ICMP type 3 code 3 packet. The URL below provides the complete lists of ICMP codes for Type 3
https://www.iana.org/assignments/icmp-parameters/icmp-parameters.xhtml#icmp-parameters-codes-3

Feedback

thumb_up Yes

thumb_down No