VectorLinux

Please login or register.

Login with username, password and session length
Advanced search  

News:

Visit our home page for VL info. For support and documentation, visit the Vector Linux Knowledge Center or search the Knowledge Center and this Forum using the search box above.

Author Topic: HOWTO: Disabling pinging in the ufw firewall - UPDATE!  (Read 10090 times)

macondo

  • Member
  • *
  • Posts: 57
HOWTO: Disabling pinging in the ufw firewall - UPDATE!
« on: July 10, 2012, 11:09:06 am »

http://www.shibuvarkala.com/2008/10/disable-ping-response-in-ubuntu-linux.html


Code: [Select]
# nano /etc/sysctl.conf

Start on line 30:
Code: [Select]
net/ipv4/icmp_echo_ignore_broadcasts=1

net/ipv4/icmp_echo_ignore_all=1

net/ipv4/icmp_ignore_bogus_error_responses=1

check your system on www.grc.com (ShieldsUp), this is what i got:


"Your system has achieved a perfect "TruStealth" rating. Not a single packet — solicited or otherwise — was received from your system as a result of our security probing tests. Your system ignored and refused to reply to repeated Pings (ICMP Echo Requests). From the standpoint of the passing probes of any hacker, this machine does not exist on the Internet. Some questionable personal security systems expose their users by attempting to "counter-probe the prober", thus revealing themselves. But your system wisely remained silent in every way. Very nice."


PSS: I made a mistake copying the file address, it should read:

Code: [Select]
/etc/ufw/sysctl.conf
« Last Edit: July 29, 2012, 11:15:13 am by macondo »
Logged
VL 7.0 Light - Barebones Install - Kernel 3.0.17
Debian Testing - Minimal Install - kernel 3.4.0-6.dmz.1-liquorix-686
Desktop: Atom Processor || 1 GB RAM || 500 GB HD

macondo

  • Member
  • *
  • Posts: 57
Re: HOWTO: Disabling pinging from outside the ufw firewall
« Reply #1 on: July 12, 2012, 09:44:13 am »

I must apologize for the ambiguity of the title on this howto, as per pierce.jason this could work with ufw being installed or not. My bad! Apologies
Logged
VL 7.0 Light - Barebones Install - Kernel 3.0.17
Debian Testing - Minimal Install - kernel 3.4.0-6.dmz.1-liquorix-686
Desktop: Atom Processor || 1 GB RAM || 500 GB HD

Darin

  • Member
  • *
  • Posts: 35
Re: HOWTO: Disabling pinging from outside the ufw firewall
« Reply #2 on: July 12, 2012, 07:45:01 pm »

Here is a .bz2 of files and instructions on how to do it quickly. I get the same results from shieldsup and have had this on my SuperGamer releases for the last 3 releases.
Logged

macondo

  • Member
  • *
  • Posts: 57
Re: HOWTO: Disabling pinging in the ufw firewall - UPDATE!
« Reply #3 on: July 29, 2012, 11:20:13 am »

Just found this in the internet and tried it and it worked on Debian:
https://help.ubuntu.com/community/UFW

Code: [Select]
You need to edit /etc/ufw/before.rules and remove edit the following lines:

# ok icmp codes
-A ufw-before-input -p icmp --icmp-type destination-unreachable -j ACCEPT
-A ufw-before-input -p icmp --icmp-type source-quench -j ACCEPT
-A ufw-before-input -p icmp --icmp-type time-exceeded -j ACCEPT
-A ufw-before-input -p icmp --icmp-type parameter-problem -j ACCEPT
-A ufw-before-input -p icmp --icmp-type echo-request -j ACCEPT

Change the "ACCEPT" to "DROP" or

# ok icmp codes
-A ufw-before-input -p icmp --icmp-type destination-unreachable -j DROP
-A ufw-before-input -p icmp --icmp-type source-quench -j DROP
-A ufw-before-input -p icmp --icmp-type time-exceeded -j DROP
-A ufw-before-input -p icmp --icmp-type parameter-problem -j DROP
-A ufw-before-input -p icmp --icmp-type echo-request -j DROP

IOW, change the last word from ACCEPT to DROP

Reboot, and then try ShieldsUp at www.grc.com

I got this review:
"Your system has achieved a perfect "TruStealth" rating. Not a single packet — solicited or otherwise — was received from your system as a result of our security probing tests. Your system ignored and refused to reply to repeated Pings (ICMP Echo Requests). From the standpoint of the passing probes of any hacker, this machine does not exist on the Internet. Some questionable personal security systems expose their users by attempting to "counter-probe the prober", thus revealing themselves. But your system wisely remained silent in every way. Very nice."

PS: I forgot to mention it worked fine in VL7 Light  :D
« Last Edit: July 30, 2012, 08:43:11 am by macondo »
Logged
VL 7.0 Light - Barebones Install - Kernel 3.0.17
Debian Testing - Minimal Install - kernel 3.4.0-6.dmz.1-liquorix-686
Desktop: Atom Processor || 1 GB RAM || 500 GB HD