Can I block ICMP echo request?

Asked by Fred on 2008-03-08

I have blocked all ports with "ufw default deny".

But it still allows ICMP echo requests to my system, which my system gladly replies to with an ICMP echo reply.

Is it possible to block ICMP echo request?

Question information

English Edit question
ufw Edit question
No assignee Edit question
Solved by:
Jamie Strandboge
Last query:
Last reply:
Best Jamie Strandboge (jdstrand) said : #1

Yes, but not with the ufw front-end. Look in /etc/ufw/before.rules and comment out this line:
-A ufw-before-input -p icmp --icmp-type echo-request -j ACCEPT

Fred (eldmannen+launchpad) said : #2

Hmm, perhaps its a bit tricky for most users to edit configuration files, and know where to find the rules...

But now when I know how todo it, and where the files are, I can do that. :)

Fred (eldmannen+launchpad) said : #3

Thanks Jamie Strandboge, that solved my question.

Lee Hopper (leehopp) said : #4

Didn't work for me - running Ubuntu 8.04, tested with Shields Up - still says my computer is responding to ping requests.

Any ideas?

Here's the part of the file /etc/ufw/before.rules:

# ok icmp codes
-A ufw-before-input -p icmp --icmp-type destination-unreachable -j ACCEPT
-A ufw-before-input -p icmp --icmp-type source-quench -j ACCEPT
-A ufw-before-input -p icmp --icmp-type time-exceeded -j ACCEPT
-A ufw-before-input -p icmp --icmp-type parameter-problem -j ACCEPT
# Don't allow ping requests:
# -A ufw-before-input -p icmp --icmp-type echo-request -j ACCEPT

Serpentine (ale-diaria) said : #5

Try disabling and re-enabling the firewall after saving the before.rules file. If you restarted your PC since you changed the file, it should be working.

sudo ufw disable
sudo ufw enable

Lee Hopper (leehopp) said : #6

Serpentine -

Thank you for the response to my question. I tried your suggestion (also
rebooted) to no avail.

Then I checked my setup in WinXP (my machine dual boots) and am having
the same problem there: McAfee firewall set up for NO pings but pings
being answered anyway according to ShieldsUP.

I read somewhere that a NAT router can answer ICMP calls by itself
without even passing them on to your computer. My modem box says
"Centurytel ADSL2/2+ NAT Combo 8/35 PPPOE". Maybe that's the culprit.


Serpentine (ale-diaria) said : #7

Lee Hopper

It could be. Did you try to configure your router directly? Some of them have a hardware/software Firewall integrated to them.

You should be able to enter its configuration page through your web browser. Try entering or, or similar, If one of those is the address, it might ask you for a username and password (in my case my ISP didn't have a username or password entered in my router (lucky me XD), so I just have to press "Accept, or OK"), if you don't know the username/password, call your ISP and ask them, if you're lucky, maybe they'll tell you...

Unfortunately can't help you any further, I've never configured a NAT router, but I can bet that someone else here can help you, or search for a tutorial on the web.

Good Luck! =)

Long since this has been answered, but I found that changing the line to:
-A ufw-before-input -p icmp --icmp-type echo-request -j DROP
then run the following:
sudo ufw disable
sudo ufw enable
did the trick for me !)

Erik Sol (forum-ohi) said : #9

Running Ubuntu 14.04 server:
I needed to change the FORWARD line to:
-A ufw-before-forward -p icmp --icmp-type echo-request -j DROP

With that it worked fine.