Hello,
How do I disable replying to ping requests in Gufw? I am asking with reference to ubuntu 12.04.
Hello,
How do I disable replying to ping requests in Gufw? I am asking with reference to ubuntu 12.04.
You need to edit /etc/ufw/before.rules and remove the following lines:
# ok icmp codes
-A ufw-before-input -p icmp --icmp-type destination-unreachable -j ACCEPT
-A ufw-before-input -p icmp --icmp-type source-quench -j ACCEPT
-A ufw-before-input -p icmp --icmp-type time-exceeded -j ACCEPT
-A ufw-before-input -p icmp --icmp-type parameter-problem -j ACCEPT
-A ufw-before-input -p icmp --icmp-type echo-request -j ACCEPT
or change the "ACCEPT" to "DROP"
# ok icmp codes
-A ufw-before-input -p icmp --icmp-type destination-unreachable -j DROP
-A ufw-before-input -p icmp --icmp-type source-quench -j DROP
-A ufw-before-input -p icmp --icmp-type time-exceeded -j DROP
-A ufw-before-input -p icmp --icmp-type parameter-problem -j DROP
-A ufw-before-input -p icmp --icmp-type echo-request -j DROP
or better
# ok icmp codes
-A ufw-before-input -p icmp --icmp-type destination-unreachable -j ACCEPT
-A ufw-before-input -p icmp --icmp-type source-quench -j ACCEPT
-A ufw-before-input -p icmp --icmp-type time-exceeded -j ACCEPT
-A ufw-before-input -p icmp --icmp-type parameter-problem -j ACCEPT
-A ufw-before-input -p icmp --icmp-type echo-request -j DROP
It's often better to use REJECT instead of DROP, especially if you are going to be using the service yourself.
http://www.chiark.greenend.org.uk/~p...drop-vs-reject
http://www.chrisbrenton.org/2009/07/...ll-drop-rules/
Neither DROP or REJECTING a ping increases security because they can tell you are at the ip address.
There are a number of tools that will show you how this is done, but it is a bit beyond what we normally discuss here on the forums.
See nmap - http://nmap.org/
What I do is rate limit ping.
http://agix.com.au/blog/?p=2088
http://newartisans.com/2007/09/neat-...with-iptables/
Bottom line, IMO ...
The default settings with ufw/gufw are fairly tight and written by people who know security. If you want to change them, best do your homework first
There are two mistakes one can make along the road to truth...not going all the way, and not starting.
--Prince Gautama Siddharta
#ubuntuforums web interface
I agree, nice link
Additional iptables links
http://bodhizazen.net/Tutorials/iptables
http://fedorasolved.org/Members/kanarip/iptables-howto
There are two mistakes one can make along the road to truth...not going all the way, and not starting.
--Prince Gautama Siddharta
#ubuntuforums web interface
lol, these suggestion are made by jamie stranboge and the devs of gufw.The default settings with ufw/gufw are fairly tight and written by people who know security. If you want to change them, best do your homework first
# ok icmp codes
-A ufw-before-input -p icmp --icmp-type destination-unreachable -j ACCEPT
-A ufw-before-input -p icmp --icmp-type source-quench -j ACCEPT
-A ufw-before-input -p icmp --icmp-type time-exceeded -j ACCEPT
-A ufw-before-input -p icmp --icmp-type parameter-problem -j ACCEPT
-A ufw-before-input -p icmp --icmp-type echo-request -j DROP
: https://answers.launchpad.net/ufw/+question/26585
etc etc etc
Not sure what you are getting at. You may agree or disagree with the default rules, I personally do not use them.
BUT ...
My advice is that you understand what and why you are changing them before you edit the default rules.
IMO, ufw, and gufw even more so, is for people who do not want to be bothered to learn iptables and they just want to click an "enable" button. It serves this purpose well. When those people come to the security section to ask questions I think the best response is to educate them.
ufw is a great tool as the syntax is very similar to iptables.
At the end of the day, IMO, if you want a custom firewall, iptables is the best tool for the job.
Last edited by bodhi.zazen; January 29th, 2013 at 09:35 PM.
There are two mistakes one can make along the road to truth...not going all the way, and not starting.
--Prince Gautama Siddharta
#ubuntuforums web interface
Isn't there any way to do this from the Gufw GUI without editing text files? I thought there was a proposal to include that in more recent versions of Gufw.
Bookmarks