I can't seem to find a setting that allows me to prevent a ping response on RED. I can see from the IpTables chains that ping is always accepted by the ICMPINPUT chain which makes it impossible to block by a rule, because rules are evaluated after ICMPINPUT.
Am I overlooking something obvious?
Block ping on RED
Re: Block ping on RED
First match of the Search Function:
viewtopic.php?f=27&t=19027&p=109186&hil ... mp#p109186
but keep in mind that its a dumb idea to block icmp because many functions like vpn, mtu discovery and many other things depend on icmp.
Also some ISP's will disconnect you if you not answer to ping.
Blocking ICMP will also not increase your security because a not connected ip will give an errormessage from the router before your system. If your system not answer to ping and a hacker not get this error message, the hacker know that there is a system that tries to hide.
viewtopic.php?f=27&t=19027&p=109186&hil ... mp#p109186
but keep in mind that its a dumb idea to block icmp because many functions like vpn, mtu discovery and many other things depend on icmp.
Also some ISP's will disconnect you if you not answer to ping.
Blocking ICMP will also not increase your security because a not connected ip will give an errormessage from the router before your system. If your system not answer to ping and a hacker not get this error message, the hacker know that there is a system that tries to hide.
Arne
Support the project on the donation!
PS: I will not answer support questions via email and ignore IPFire related messages on my non IPFire.org mail addresses.
Support the project on the donation!
PS: I will not answer support questions via email and ignore IPFire related messages on my non IPFire.org mail addresses.
Re: Block ping on RED
I agree with Arne about disabling ping doing nothing for security.
Nevertheless, this is a firewall distro and most options that are intentionally hidden via WUI should be made available and at user discretion.
This is not Apple software/hardware.
Nevertheless, this is a firewall distro and most options that are intentionally hidden via WUI should be made available and at user discretion.
This is not Apple software/hardware.
Re: Block ping on RED
Thanks. I guess it shows it helps to already know what you're looking for when you're looking for it :-) I searched on ping, not icmp.Arne.F wrote: ↑April 11th, 2018, 12:48 pmFirst match of the Search Function:
viewtopic.php?f=27&t=19027&p=109186&hil ... mp#p109186
I don't quiet see how a VPN relies on a ping response. I have several systems running OpenVPN successfully on IpCops with ping on red disabled. Path MTU discovery is a dud on stateful firewalls. Whichever way you fragment your packets, once they hit a stateful firewall they will be reassembled to perform connection tracking.
But more importantly, regardless of there being legitimate reasons not to block icmp, there may also be legitimate reasons to do so. Calling it a dumb idea seems a bit harsh.
Never heard that. I wonder why they would. It does not seem useful or sensible.
Please clarify. How does one differentiate between no response on IP X because there is no host there and no response because the host does not respond?Arne.F wrote: ↑April 11th, 2018, 12:48 pmBlocking ICMP will also not increase your security because a not connected ip will give an errormessage from the router before your system. If your system not answer to ping and a hacker not get this error message, the hacker know that there is a system that tries to hide.
Re: Block ping on RED
That's simply because a not existent endpoint is responded by the router before. ( As Arne stated above ).erikvl wrote: ↑April 12th, 2018, 8:20 amPlease clarify. How does one differentiate between no response on IP X because there is no host there and no response because the host does not respond?Arne.F wrote: ↑April 11th, 2018, 12:48 pmBlocking ICMP will also not increase your security because a not connected ip will give an errormessage from the router before your system. If your system not answer to ping and a hacker not get this error message, the hacker know that there is a system that tries to hide.
If your system is reachable, this message isn't sent. Therefore a system not responding to ICMP is existent, but hidden. And for hiding a system there may be "interesting" reasons. Thus it is more interesting to try to hack such a system.
Unitymedia Cable Internet ( 32MBit )
Re: Block ping on RED
First off, this is my first response to any BB, so forgive me if I get the reply in the wrong thread. Looking over the postings of the past several years, there is a reoccurring theme of blocking the front side (aka the red) from responding to a ping. Some responses have suggested dropping all icmp and/or ping responses, I don't think this is a good idea as per Arne.F as well as others over the coarse of time. In fact from what I can tell, ipfire requires the use of ping for pakfire to work correctly. I believe that what most folks want is to simply drop the response to an external ping (that is on the external interface). I think that this can be accomplished by adding the following code to /etc/sysconfig/firewall.local
iptables -A CUSTOMINPUT -p icmp --icmp-type 8 -i xxxx -j DROP
For me xxxx is ppp0 due to the fact that I have a DSL connection, but I believe this will vary depending upon how one connects to the internet. One way to figure out what your interface is, is by going to tab:firewall/iptables and selecting FARWARDFW (at least that is the English title) and one can see the out bound interface there.
I have tested this on my device running core:122. I can ping inside my network, I can ping 8.8.8.8, and I can ping my isp provided ip address from the inside; however, I can not ping my isp provided ip address from the outside. I even went to grc.com and tried the sheilds up app, and no response. So if invisibility is what your after, this is one way to go about is without breaking everything. Hopefully this helps.
iptables -A CUSTOMINPUT -p icmp --icmp-type 8 -i xxxx -j DROP
For me xxxx is ppp0 due to the fact that I have a DSL connection, but I believe this will vary depending upon how one connects to the internet. One way to figure out what your interface is, is by going to tab:firewall/iptables and selecting FARWARDFW (at least that is the English title) and one can see the out bound interface there.
I have tested this on my device running core:122. I can ping inside my network, I can ping 8.8.8.8, and I can ping my isp provided ip address from the inside; however, I can not ping my isp provided ip address from the outside. I even went to grc.com and tried the sheilds up app, and no response. So if invisibility is what your after, this is one way to go about is without breaking everything. Hopefully this helps.