ufw

Can I block ICMP echo request?

Asked by Fred

I have blocked all ports with "ufw default deny".

But it still allows ICMP echo requests to my system, which my system gladly replies to with an ICMP echo reply.

Is it possible to block ICMP echo request?

Question information

Language:
English Edit question
Status:
Solved
For:
ufw Edit question
Assignee:
No assignee Edit question
Solved by:
Jamie Strandboge
Solved:
Last query:
Last reply:
Revision history for this message
Best Jamie Strandboge (jdstrand) said : 		#1

Yes, but not with the ufw front-end. Look in /etc/ufw/before.rules and comment out this line:
-A ufw-before-input -p icmp --icmp-type echo-request -j ACCEPT

Revision history for this message
Fred (eldmannen+launchpad) said : 		#2

Hmm, perhaps its a bit tricky for most users to edit configuration files, and know where to find the rules...

But now when I know how todo it, and where the files are, I can do that. :)

Revision history for this message
Fred (eldmannen+launchpad) said : 		#3

Thanks Jamie Strandboge, that solved my question.

Revision history for this message
Lee Hopper (leehopp) said : 		#4

Didn't work for me - running Ubuntu 8.04, tested with Shields Up - still says my computer is responding to ping requests.

Any ideas?

Here's the part of the file /etc/ufw/before.rules:

# ok icmp codes
-A ufw-before-input -p icmp --icmp-type destination-unreachable -j ACCEPT
-A ufw-before-input -p icmp --icmp-type source-quench -j ACCEPT
-A ufw-before-input -p icmp --icmp-type time-exceeded -j ACCEPT
-A ufw-before-input -p icmp --icmp-type parameter-problem -j ACCEPT
# Don't allow ping requests:
# -A ufw-before-input -p icmp --icmp-type echo-request -j ACCEPT

Revision history for this message
Serpentine (ale-diaria) said : 		#5

Try disabling and re-enabling the firewall after saving the before.rules file. If you restarted your PC since you changed the file, it should be working.

sudo ufw disable
sudo ufw enable

Revision history for this message
Lee Hopper (leehopp) said : 		#6

Serpentine -

Thank you for the response to my question. I tried your suggestion (also
rebooted) to no avail.

Then I checked my setup in WinXP (my machine dual boots) and am having
the same problem there: McAfee firewall set up for NO pings but pings
being answered anyway according to ShieldsUP.

I read somewhere that a NAT router can answer ICMP calls by itself
without even passing them on to your computer. My modem box says
"Centurytel ADSL2/2+ NAT Combo 8/35 PPPOE". Maybe that's the culprit.

LeeH

Revision history for this message
Serpentine (ale-diaria) said : 		#7

Lee Hopper

It could be. Did you try to configure your router directly? Some of them have a hardware/software Firewall integrated to them.

You should be able to enter its configuration page through your web browser. Try entering 192.168.100.0 or 192.168.100.1, or similar, If one of those is the address, it might ask you for a username and password (in my case my ISP didn't have a username or password entered in my router (lucky me XD), so I just have to press "Accept, or OK"), if you don't know the username/password, call your ISP and ask them, if you're lucky, maybe they'll tell you...

Unfortunately can't help you any further, I've never configured a NAT router, but I can bet that someone else here can help you, or search for a tutorial on the web.

Good Luck! =)
Serpentine

Revision history for this message
Jared LaMunyon (jared-lamunyon) said : 		#8

Long since this has been answered, but I found that changing the line to:
-A ufw-before-input -p icmp --icmp-type echo-request -j DROP
then run the following:
sudo ufw disable
sudo ufw enable
did the trick for me !)

Revision history for this message
Erik Sol (forum-ohi) said : 		#9

Running Ubuntu 14.04 server:
I needed to change the FORWARD line to:
-A ufw-before-forward -p icmp --icmp-type echo-request -j DROP

With that it worked fine.