HOWTO: Disabling pinging in the ufw firewall - UPDATE!

[macondo]

http://www.shibuvarkala.com/2008/10/disable-ping-response-in-ubuntu-linux.html

Code:

# nano /etc/sysctl.conf

Start on line 30:

Code:

net/ipv4/icmp_echo_ignore_broadcasts=1

net/ipv4/icmp_echo_ignore_all=1

net/ipv4/icmp_ignore_bogus_error_responses=1

check your system on www.grc.com (ShieldsUp), this is what i got:


"Your system has achieved a perfect "TruStealth" rating. Not a single packet — solicited or otherwise — was received from your system as a result of our security probing tests. Your system ignored and refused to reply to repeated Pings (ICMP Echo Requests). From the standpoint of the passing probes of any hacker, this machine does not exist on the Internet. Some questionable personal security systems expose their users by attempting to "counter-probe the prober", thus revealing themselves. But your system wisely remained silent in every way. Very nice."


PSS: I made a mistake copying the file address, it should read:

Code:

/etc/ufw/sysctl.conf

[macondo]

I must apologize for the ambiguity of the title on this howto, as per pierce.jason this could work with ufw being installed or not. My bad! Apologies

[Darin]

Here is a .bz2 of files and instructions on how to do it quickly. I get the same results from shieldsup and have had this on my SuperGamer releases for the last 3 releases.

[macondo]

Just found this in the internet and tried it and it worked on Debian:
https://help.ubuntu.com/community/UFW

Code:

You need to edit /etc/ufw/before.rules and remove edit the following lines:

# ok icmp codes
-A ufw-before-input -p icmp --icmp-type destination-unreachable -j ACCEPT
-A ufw-before-input -p icmp --icmp-type source-quench -j ACCEPT
-A ufw-before-input -p icmp --icmp-type time-exceeded -j ACCEPT
-A ufw-before-input -p icmp --icmp-type parameter-problem -j ACCEPT
-A ufw-before-input -p icmp --icmp-type echo-request -j ACCEPT

Change the "ACCEPT" to "DROP" or

# ok icmp codes
-A ufw-before-input -p icmp --icmp-type destination-unreachable -j DROP
-A ufw-before-input -p icmp --icmp-type source-quench -j DROP
-A ufw-before-input -p icmp --icmp-type time-exceeded -j DROP
-A ufw-before-input -p icmp --icmp-type parameter-problem -j DROP
-A ufw-before-input -p icmp --icmp-type echo-request -j DROP

IOW, change the last word from ACCEPT to DROP

Reboot, and then try ShieldsUp at www.grc.com

I got this review:
"Your system has achieved a perfect "TruStealth" rating. Not a single packet — solicited or otherwise — was received from your system as a result of our security probing tests. Your system ignored and refused to reply to repeated Pings (ICMP Echo Requests). From the standpoint of the passing probes of any hacker, this machine does not exist on the Internet. Some questionable personal security systems expose their users by attempting to "counter-probe the prober", thus revealing themselves. But your system wisely remained silent in every way. Very nice."

PS: I forgot to mention it worked fine in VL7 Light