Author Topic: Firewall Ping reply rule  (Read 2254 times)

0 Members and 1 Guest are viewing this topic.

Offline fvmb

  • Full Member
  • ***
  • Posts: 117
  • Being a teacher implies that we stay learning!
Firewall Ping reply rule
« on: September 24, 2019, 09:06:36 PM »
Hi,

I need to create a rule to block ping reply. I was thinking that would be enought to throught system rules on firewall and put allow ping inactive but it isn´t.
You can check on Gibson Institute : https://www.grc.com/

Can you help me to create the rule on local router firewall please?

Best Regards,
« Last Edit: September 26, 2019, 06:26:18 PM by fvmb »

Offline fvmb

  • Full Member
  • ***
  • Posts: 117
  • Being a teacher implies that we stay learning!
Re: Firewall Ping reply rule
« Reply #1 on: September 26, 2019, 01:52:50 PM »
Any help related to the rule ?  ;D

Regards,

Offline Pondus

  • Probably Bot
  • ****
  • Posts: 37505
  • Not a avast user
Re: Firewall Ping reply rule
« Reply #2 on: September 26, 2019, 02:16:40 PM »
So you have tested som ping thing at Gibson and your firewall should not reply, but it does even after turning it off ... is that it?

What about your router firewall, if you are behind a router with firewall then i guess that is where you block ping?


Anyway why do you need this?


« Last Edit: September 26, 2019, 03:54:31 PM by Pondus »

Offline fvmb

  • Full Member
  • ***
  • Posts: 117
  • Being a teacher implies that we stay learning!
Re: Firewall Ping reply rule
« Reply #3 on: September 26, 2019, 06:36:30 PM »
Hey Pondus,

I incorrectly writed Avast but was meant to write off course my local router firewall, and yes the router has a firewall!  I´m doing right now on the router firewall. This is not a gateway DSL but a local router behind a ONT. So the ONT gives acess to internet and Local router gives a home management

Beacuse as you may know someone can acess your network using this ping reply throught ICMP protocol in order to use exploits to gain acess and by turning ICMP echo ping reply off, as it should always be its harder for someone to do this.


Offline Pondus

  • Probably Bot
  • ****
  • Posts: 37505
  • Not a avast user
Re: Firewall Ping reply rule
« Reply #4 on: September 26, 2019, 06:44:25 PM »
Understanding ICMP and why you shouldn't just block it outright
https://neilalexander.dev/2017/04/16/understanding-icmp.html

http://shouldiblockicmp.com/



Offline Michael (alan1998)

  • Massive Poster
  • ****
  • Posts: 2768
  • Volunteer
Re: Firewall Ping reply rule
« Reply #5 on: September 26, 2019, 07:37:57 PM »
Pondus' first article is pretty decent, so I recommend you read it.

The last RCE I'm aware of for ICMP is from 2011, and that was under Magneto. I doubt you're running an eCommerce website on a local home network... Why, are you looking to block ping requests? Any attacker with the skills to use RCE's and whatnot is not going to be focusing on a small, home network.

My advice at the end of the day is too simply leave it. Unless you're a networking god, you shouldn't be playing with it. (And given that you're on the forums asking for help, I'm guessing you're not god.) Regardless of skill level, ICMP is required in IPv6 implementations, and I should remind you, the world is out of IPv$ addresses that haven't been claimed.

https://blogs.cisco.com/security/icmp-and-security-in-ipv6


VOLUNTEER

Senior Security Analyst; Sys Admin (Linux); Forensics/Incident Response.

Security is a mindset, not an application. Think BEFORE you click.

Offline fvmb

  • Full Member
  • ***
  • Posts: 117
  • Being a teacher implies that we stay learning!
Re: Firewall Ping reply rule
« Reply #6 on: September 26, 2019, 08:11:55 PM »
Understanding ICMP and why you shouldn't just block it outright
https://neilalexander.dev/2017/04/16/understanding-icmp.html

http://shouldiblockicmp.com/

Thank you Pondus,

Very nice article ;)

Best Regards,

Offline fvmb

  • Full Member
  • ***
  • Posts: 117
  • Being a teacher implies that we stay learning!
Re: Firewall Ping reply rule
« Reply #7 on: September 26, 2019, 08:15:18 PM »
Pondus' first article is pretty decent, so I recommend you read it.

The last RCE I'm aware of for ICMP is from 2011, and that was under Magneto. I doubt you're running an eCommerce website on a local home network... Why, are you looking to block ping requests? Any attacker with the skills to use RCE's and whatnot is not going to be focusing on a small, home network.

My advice at the end of the day is too simply leave it. Unless you're a networking god, you shouldn't be playing with it. (And given that you're on the forums asking for help, I'm guessing you're not god.) Regardless of skill level, ICMP is required in IPv6 implementations, and I should remind you, the world is out of IPv$ addresses that haven't been claimed.

https://blogs.cisco.com/security/icmp-and-security-in-ipv6

Thank you Michael (alan1998):)

I readed Pondus and also yours. What you are saying about IPv6 and ICMp protocol is completly true and yes addresses are running out.

Best Regards,