Firewall Ping reply rule

Hi,

I need to create a rule to block ping reply. I was thinking that would be enought to throught system rules on firewall and put allow ping inactive but it isn´t.
You can check on Gibson Institute : https://www.grc.com/

Can you help me to create the rule on local router firewall please?

Best Regards,

Any help related to the rule ? ;D

Regards,

So you have tested som ping thing at Gibson and your firewall should not reply, but it does even after turning it off … is that it?

What about your router firewall, if you are behind a router with firewall then i guess that is where you block ping?

Anyway why do you need this?

Hey Pondus,

I incorrectly writed Avast but was meant to write off course my local router firewall, and yes the router has a firewall! I´m doing right now on the router firewall. This is not a gateway DSL but a local router behind a ONT. So the ONT gives acess to internet and Local router gives a home management

Beacuse as you may know someone can acess your network using this ping reply throught ICMP protocol in order to use exploits to gain acess and by turning ICMP echo ping reply off, as it should always be its harder for someone to do this.

Understanding ICMP and why you shouldn’t just block it outright
https://neilalexander.dev/2017/04/16/understanding-icmp.html

http://shouldiblockicmp.com/

Pondus’ first article is pretty decent, so I recommend you read it.

The last RCE I’m aware of for ICMP is from 2011, and that was under Magneto. I doubt you’re running an eCommerce website on a local home network… Why, are you looking to block ping requests? Any attacker with the skills to use RCE’s and whatnot is not going to be focusing on a small, home network.

My advice at the end of the day is too simply leave it. Unless you’re a networking god, you shouldn’t be playing with it. (And given that you’re on the forums asking for help, I’m guessing you’re not god.) Regardless of skill level, ICMP is required in IPv6 implementations, and I should remind you, the world is out of IPv$ addresses that haven’t been claimed.

https://blogs.cisco.com/security/icmp-and-security-in-ipv6

Thank you Pondus,

Very nice article :wink:

Best Regards,

Thank you Michael (alan1998):slight_smile:

I readed Pondus and also yours. What you are saying about IPv6 and ICMp protocol is completly true and yes addresses are running out.

Best Regards,