Hello,
How do I disable replying to ping requests in Gufw? I am asking with reference to ubuntu 12.04.
Quad Shot of Ubuntu
Hello,
How do I disable replying to ping requests in Gufw? I am asking with reference to ubuntu 12.04.
Chocolate-Covered Ubuntu Beans
You need to edit /etc/ufw/before.rules and remove the following lines:
# ok icmp codes
-A ufw-before-input -p icmp --icmp-type destination-unreachable -j ACCEPT
-A ufw-before-input -p icmp --icmp-type source-quench -j ACCEPT
-A ufw-before-input -p icmp --icmp-type time-exceeded -j ACCEPT
-A ufw-before-input -p icmp --icmp-type parameter-problem -j ACCEPT
-A ufw-before-input -p icmp --icmp-type echo-request -j ACCEPT
or change the "ACCEPT" to "DROP"
# ok icmp codes
-A ufw-before-input -p icmp --icmp-type destination-unreachable -j DROP
-A ufw-before-input -p icmp --icmp-type source-quench -j DROP
-A ufw-before-input -p icmp --icmp-type time-exceeded -j DROP
-A ufw-before-input -p icmp --icmp-type parameter-problem -j DROP
-A ufw-before-input -p icmp --icmp-type echo-request -j DROP
or better
# ok icmp codes
-A ufw-before-input -p icmp --icmp-type destination-unreachable -j ACCEPT
-A ufw-before-input -p icmp --icmp-type source-quench -j ACCEPT
-A ufw-before-input -p icmp --icmp-type time-exceeded -j ACCEPT
-A ufw-before-input -p icmp --icmp-type parameter-problem -j ACCEPT
-A ufw-before-input -p icmp --icmp-type echo-request -j DROP
Ubuntu Member
It's often better to use REJECT instead of DROP, especially if you are going to be using the service yourself.Originally Posted by Soul-Sing
http://www.chiark.greenend.org.uk/~p...drop-vs-reject
http://www.chrisbrenton.org/2009/07/...ll-drop-rules/
Walking moon
Neither DROP or REJECTING a ping increases security because they can tell you are at the ip address.
There are a number of tools that will show you how this is done, but it is a bit beyond what we normally discuss here on the forums.
See nmap - http://nmap.org/
What I do is rate limit ping.
http://agix.com.au/blog/?p=2088
http://newartisans.com/2007/09/neat-...with-iptables/
Bottom line, IMO ...
The default settings with ufw/gufw are fairly tight and written by people who know security. If you want to change them, best do your homework first
There are two mistakes one can make along the road to truth...not going all the way, and not starting.
--Prince Gautama Siddharta
#ubuntuforums web interface
Walking moon
I agree, nice link
Additional iptables links
http://bodhizazen.net/Tutorials/iptables
http://fedorasolved.org/Members/kanarip/iptables-howto
There are two mistakes one can make along the road to truth...not going all the way, and not starting.
--Prince Gautama Siddharta
#ubuntuforums web interface
Chocolate-Covered Ubuntu Beans
lol, these suggestion are made by jamie stranboge and the devs of gufw.The default settings with ufw/gufw are fairly tight and written by people who know security. If you want to change them, best do your homework first
# ok icmp codes
-A ufw-before-input -p icmp --icmp-type destination-unreachable -j ACCEPT
-A ufw-before-input -p icmp --icmp-type source-quench -j ACCEPT
-A ufw-before-input -p icmp --icmp-type time-exceeded -j ACCEPT
-A ufw-before-input -p icmp --icmp-type parameter-problem -j ACCEPT
-A ufw-before-input -p icmp --icmp-type echo-request -j DROP
: https://answers.launchpad.net/ufw/+question/26585
etc etc etc
Walking moon
Not sure what you are getting at. You may agree or disagree with the default rules, I personally do not use them.
BUT ...
My advice is that you understand what and why you are changing them before you edit the default rules.
IMO, ufw, and gufw even more so, is for people who do not want to be bothered to learn iptables and they just want to click an "enable" button. It serves this purpose well. When those people come to the security section to ask questions I think the best response is to educate them.
ufw is a great tool as the syntax is very similar to iptables.
At the end of the day, IMO, if you want a custom firewall, iptables is the best tool for the job.
Last edited by bodhi.zazen; January 29th, 2013 at 09:35 PM.
There are two mistakes one can make along the road to truth...not going all the way, and not starting.
--Prince Gautama Siddharta
#ubuntuforums web interface
Quad Shot of Ubuntu
Isn't there any way to do this from the Gufw GUI without editing text files? I thought there was a proposal to include that in more recent versions of Gufw.
Ubuntu Member
There would be little to no point because the bad guys can find your computer just as easily without ping as with it. Adding the ability to throttle the rate of pings might be useful but maybe not. What problem are you trying to solve?
Chocolate-Covered Ubuntu Beans
shields-up test prob. with the FAILED testresult.
Posting Permissions
Adv Reply
Bookmarks