Page 1 of 2 12 LastLast
Results 1 to 10 of 11

Thread: Disabling ping in Gufw

  1. #1
    Join Date
    Jul 2005
    Beans
    412

    Disabling ping in Gufw

    Hello,

    How do I disable replying to ping requests in Gufw? I am asking with reference to ubuntu 12.04.

  2. #2
    Soul-Sing is offline Chocolate-Covered Ubuntu Beans
    Join Date
    Aug 2006
    Beans
    1,374
    Distro
    Ubuntu 13.04 Raring Ringtail

    Re: Disabling ping in Gufw

    You need to edit /etc/ufw/before.rules and remove the following lines:

    # ok icmp codes
    -A ufw-before-input -p icmp --icmp-type destination-unreachable -j ACCEPT
    -A ufw-before-input -p icmp --icmp-type source-quench -j ACCEPT
    -A ufw-before-input -p icmp --icmp-type time-exceeded -j ACCEPT
    -A ufw-before-input -p icmp --icmp-type parameter-problem -j ACCEPT
    -A ufw-before-input -p icmp --icmp-type echo-request -j ACCEPT

    or change the "ACCEPT" to "DROP"

    # ok icmp codes
    -A ufw-before-input -p icmp --icmp-type destination-unreachable -j DROP
    -A ufw-before-input -p icmp --icmp-type source-quench -j DROP
    -A ufw-before-input -p icmp --icmp-type time-exceeded -j DROP
    -A ufw-before-input -p icmp --icmp-type parameter-problem -j DROP
    -A ufw-before-input -p icmp --icmp-type echo-request -j DROP

    or better
    # ok icmp codes
    -A ufw-before-input -p icmp --icmp-type destination-unreachable -j ACCEPT
    -A ufw-before-input -p icmp --icmp-type source-quench -j ACCEPT
    -A ufw-before-input -p icmp --icmp-type time-exceeded -j ACCEPT
    -A ufw-before-input -p icmp --icmp-type parameter-problem -j ACCEPT
    -A ufw-before-input -p icmp --icmp-type echo-request -j DROP

  3. #3
    Join Date
    Sep 2006
    Beans
    7,624
    Distro
    Lubuntu Development Release

    reject vs drop

    Quote Originally Posted by Soul-Sing View Post
    or change the "ACCEPT" to "DROP"
    It's often better to use REJECT instead of DROP, especially if you are going to be using the service yourself.

    http://www.chiark.greenend.org.uk/~p...drop-vs-reject
    http://www.chrisbrenton.org/2009/07/...ll-drop-rules/

  4. #4
    Join Date
    Apr 2006
    Location
    Montana
    Beans
    Hidden!
    Distro
    Kubuntu Development Release

    Re: Disabling ping in Gufw

    Neither DROP or REJECTING a ping increases security because they can tell you are at the ip address.

    There are a number of tools that will show you how this is done, but it is a bit beyond what we normally discuss here on the forums.

    See nmap - http://nmap.org/

    What I do is rate limit ping.

    http://agix.com.au/blog/?p=2088

    http://newartisans.com/2007/09/neat-...with-iptables/

    Bottom line, IMO ...

    The default settings with ufw/gufw are fairly tight and written by people who know security. If you want to change them, best do your homework first
    There are two mistakes one can make along the road to truth...not going all the way, and not starting.
    --Prince Gautama Siddharta

    #ubuntuforums web interface

  5. #5
    Join Date
    Apr 2006
    Location
    Montana
    Beans
    Hidden!
    Distro
    Kubuntu Development Release

    Re: reject vs drop

    Quote Originally Posted by Lars Noodén View Post
    It's often better to use REJECT instead of DROP, especially if you are going to be using the service yourself.

    http://www.chiark.greenend.org.uk/~p...drop-vs-reject
    http://www.chrisbrenton.org/2009/07/...ll-drop-rules/
    I agree, nice link

    Additional iptables links

    http://bodhizazen.net/Tutorials/iptables
    http://fedorasolved.org/Members/kanarip/iptables-howto
    There are two mistakes one can make along the road to truth...not going all the way, and not starting.
    --Prince Gautama Siddharta

    #ubuntuforums web interface

  6. #6
    Soul-Sing is offline Chocolate-Covered Ubuntu Beans
    Join Date
    Aug 2006
    Beans
    1,374
    Distro
    Ubuntu 13.04 Raring Ringtail

    Re: Disabling ping in Gufw

    The default settings with ufw/gufw are fairly tight and written by people who know security. If you want to change them, best do your homework first
    lol, these suggestion are made by jamie stranboge and the devs of gufw.
    # ok icmp codes
    -A ufw-before-input -p icmp --icmp-type destination-unreachable -j ACCEPT
    -A ufw-before-input -p icmp --icmp-type source-quench -j ACCEPT
    -A ufw-before-input -p icmp --icmp-type time-exceeded -j ACCEPT
    -A ufw-before-input -p icmp --icmp-type parameter-problem -j ACCEPT
    -A ufw-before-input -p icmp --icmp-type echo-request -j DROP

    : https://answers.launchpad.net/ufw/+question/26585
    etc etc etc

  7. #7
    Join Date
    Apr 2006
    Location
    Montana
    Beans
    Hidden!
    Distro
    Kubuntu Development Release

    Re: Disabling ping in Gufw

    Quote Originally Posted by Soul-Sing View Post
    lol, these suggestion are made by jamie stranboge and the devs of gufw.
    # ok icmp codes
    -A ufw-before-input -p icmp --icmp-type destination-unreachable -j ACCEPT
    -A ufw-before-input -p icmp --icmp-type source-quench -j ACCEPT
    -A ufw-before-input -p icmp --icmp-type time-exceeded -j ACCEPT
    -A ufw-before-input -p icmp --icmp-type parameter-problem -j ACCEPT
    -A ufw-before-input -p icmp --icmp-type echo-request -j DROP

    : https://answers.launchpad.net/ufw/+question/26585
    etc etc etc
    Not sure what you are getting at. You may agree or disagree with the default rules, I personally do not use them.

    BUT ...

    My advice is that you understand what and why you are changing them before you edit the default rules.

    IMO, ufw, and gufw even more so, is for people who do not want to be bothered to learn iptables and they just want to click an "enable" button. It serves this purpose well. When those people come to the security section to ask questions I think the best response is to educate them.

    ufw is a great tool as the syntax is very similar to iptables.

    At the end of the day, IMO, if you want a custom firewall, iptables is the best tool for the job.
    Last edited by bodhi.zazen; January 29th, 2013 at 09:35 PM.
    There are two mistakes one can make along the road to truth...not going all the way, and not starting.
    --Prince Gautama Siddharta

    #ubuntuforums web interface

  8. #8
    Join Date
    Jul 2005
    Beans
    412

    Re: Disabling ping in Gufw

    Isn't there any way to do this from the Gufw GUI without editing text files? I thought there was a proposal to include that in more recent versions of Gufw.

  9. #9
    Join Date
    Sep 2006
    Beans
    7,624
    Distro
    Lubuntu Development Release

    Re: Disabling ping in Gufw

    Quote Originally Posted by jsvidyad View Post
    Isn't there any way to do this from the Gufw GUI without editing text files? I thought there was a proposal to include that in more recent versions of Gufw.
    There would be little to no point because the bad guys can find your computer just as easily without ping as with it. Adding the ability to throttle the rate of pings might be useful but maybe not. What problem are you trying to solve?

  10. #10
    Soul-Sing is offline Chocolate-Covered Ubuntu Beans
    Join Date
    Aug 2006
    Beans
    1,374
    Distro
    Ubuntu 13.04 Raring Ringtail

    Re: Disabling ping in Gufw

    Quote Originally Posted by Lars Noodén View Post
    There would be little to no point because the bad guys can find your computer just as easily without ping as with it. Adding the ability to throttle the rate of pings might be useful but maybe not. What problem are you trying to solve?
    shields-up test prob. with the FAILED testresult.

Page 1 of 2 12 LastLast

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •