Block ping on RED

General questions.
Post Reply
erikvl
Posts: 16
Joined: April 9th, 2018, 9:14 am

Block ping on RED

Post by erikvl » April 11th, 2018, 11:11 am

I can't seem to find a setting that allows me to prevent a ping response on RED. I can see from the IpTables chains that ping is always accepted by the ICMPINPUT chain which makes it impossible to block by a rule, because rules are evaluated after ICMPINPUT.

Am I overlooking something obvious?

User avatar
Arne.F
Core Developer
Core Developer
Posts: 8522
Joined: May 7th, 2006, 8:57 am
Location: BS <-> NDH
Contact:

Re: Block ping on RED

Post by Arne.F » April 11th, 2018, 12:48 pm

First match of the Search Function:
viewtopic.php?f=27&t=19027&p=109186&hil ... mp#p109186

but keep in mind that its a dumb idea to block icmp because many functions like vpn, mtu discovery and many other things depend on icmp.
Also some ISP's will disconnect you if you not answer to ping.

Blocking ICMP will also not increase your security because a not connected ip will give an errormessage from the router before your system. If your system not answer to ping and a hacker not get this error message, the hacker know that there is a system that tries to hide.
Arne

Support the project on the donation!

Image

Image

Image
PS: I will not answer support questions via email and ignore IPFire related messages on my non IPFire.org mail addresses.

User avatar
Deepcuts
Posts: 461
Joined: March 1st, 2016, 3:18 pm
Location: Romania

Re: Block ping on RED

Post by Deepcuts » April 12th, 2018, 7:27 am

I agree with Arne about disabling ping doing nothing for security.
Nevertheless, this is a firewall distro and most options that are intentionally hidden via WUI should be made available and at user discretion.
This is not Apple software/hardware.
Image
Image

erikvl
Posts: 16
Joined: April 9th, 2018, 9:14 am

Re: Block ping on RED

Post by erikvl » April 12th, 2018, 8:20 am

Arne.F wrote:
April 11th, 2018, 12:48 pm
First match of the Search Function:
viewtopic.php?f=27&t=19027&p=109186&hil ... mp#p109186
Thanks. I guess it shows it helps to already know what you're looking for when you're looking for it :-) I searched on ping, not icmp.
Arne.F wrote:
April 11th, 2018, 12:48 pm
but keep in mind that its a dumb idea to block icmp because many functions like vpn, mtu discovery and many other things depend on icmp.
I don't quiet see how a VPN relies on a ping response. I have several systems running OpenVPN successfully on IpCops with ping on red disabled. Path MTU discovery is a dud on stateful firewalls. Whichever way you fragment your packets, once they hit a stateful firewall they will be reassembled to perform connection tracking.

But more importantly, regardless of there being legitimate reasons not to block icmp, there may also be legitimate reasons to do so. Calling it a dumb idea seems a bit harsh.
Arne.F wrote:
April 11th, 2018, 12:48 pm
Also some ISP's will disconnect you if you not answer to ping.
Never heard that. I wonder why they would. It does not seem useful or sensible.
Arne.F wrote:
April 11th, 2018, 12:48 pm
Blocking ICMP will also not increase your security because a not connected ip will give an errormessage from the router before your system. If your system not answer to ping and a hacker not get this error message, the hacker know that there is a system that tries to hide.
Please clarify. How does one differentiate between no response on IP X because there is no host there and no response because the host does not respond?

BeBiMa
Posts: 2842
Joined: July 30th, 2011, 12:55 pm
Location: Mannheim

Re: Block ping on RED

Post by BeBiMa » April 12th, 2018, 9:40 am

erikvl wrote:
April 12th, 2018, 8:20 am
Arne.F wrote:
April 11th, 2018, 12:48 pm
Blocking ICMP will also not increase your security because a not connected ip will give an errormessage from the router before your system. If your system not answer to ping and a hacker not get this error message, the hacker know that there is a system that tries to hide.
Please clarify. How does one differentiate between no response on IP X because there is no host there and no response because the host does not respond?
That's simply because a not existent endpoint is responded by the router before. ( As Arne stated above ).
If your system is reachable, this message isn't sent. Therefore a system not responding to ICMP is existent, but hidden. And for hiding a system there may be "interesting" reasons. Thus it is more interesting to try to hack such a system.
Image
Unitymedia Cable Internet ( 32MBit )

IamaShip
Posts: 1
Joined: August 8th, 2018, 3:13 am

Re: Block ping on RED

Post by IamaShip » August 8th, 2018, 4:46 am

First off, this is my first response to any BB, so forgive me if I get the reply in the wrong thread. Looking over the postings of the past several years, there is a reoccurring theme of blocking the front side (aka the red) from responding to a ping. Some responses have suggested dropping all icmp and/or ping responses, I don't think this is a good idea as per Arne.F as well as others over the coarse of time. In fact from what I can tell, ipfire requires the use of ping for pakfire to work correctly. I believe that what most folks want is to simply drop the response to an external ping (that is on the external interface). I think that this can be accomplished by adding the following code to /etc/sysconfig/firewall.local

iptables -A CUSTOMINPUT -p icmp --icmp-type 8 -i xxxx -j DROP

For me xxxx is ppp0 due to the fact that I have a DSL connection, but I believe this will vary depending upon how one connects to the internet. One way to figure out what your interface is, is by going to tab:firewall/iptables and selecting FARWARDFW (at least that is the English title) and one can see the out bound interface there.

I have tested this on my device running core:122. I can ping inside my network, I can ping 8.8.8.8, and I can ping my isp provided ip address from the inside; however, I can not ping my isp provided ip address from the outside. I even went to grc.com and tried the sheilds up app, and no response. So if invisibility is what your after, this is one way to go about is without breaking everything. Hopefully this helps.

Post Reply