Ping ICMP Echo Reply Rule

[fvmb 1]

Hello,

Can you please help me to create the rule to block reply to ping ICMP Echo on firewall.

Thanks in advanced.

 

[Marcos 5,070]

Do you mean ping from the trusted zone or from outside the trusted zone?

[fvmb 1]

Just now, Marcos said:

Do you mean blocking it in the trusted zone our from outside the trusted zone?

From outside the trusted zone.

[itman 1,659]

Below is a screen shot of Eset default firewall rule for inbound IPv4 ICMP including echo reply:

Assuming you want to block inbound IPv4 ICMP echo reply, you need to create a similar rule specifying only ICMP Type/code of "0" less the quote marks. Set the Name field to "Block incoming ICMP echo reply communication." Set Action field to Block. Set Protocol field to ICMP. Set Logging severity to "Warning" if you want the event to be logged. Checkmark the "Notify user" field if you want to alerted to block activity occurring. Click on the OK button to create your rule.

Your rule will now be positioned at the bottom of all prior existing rules. You now must position the rule using the arrow keys provided to immediately proceeding the existing default incoming ICMP rule. Click on the OK tab and any subsequent shown one to save your changes. Finally, reenter the Firewall rules editor and validate your rule is positioned correctly.

Note: Eset processes firewall rules in top-to-bottom order. Your created block inbound ICMP echo reply rule will always be executed prior to the existing allow one.    

[fvmb 1]

2 hours ago, itman said:

Below is a screen shot of Eset default firewall rule for inbound IPv4 ICMP including echo reply:

Assuming you want to block inbound IPv4 ICMP echo reply, you need to create a similar rule specifying only ICMP Type/code of "0" less the quote marks. Set the Name field to "Block incoming ICMP echo reply communication." Set Action field to Block. Set Protocol field to ICMP. Set Logging severity to "Warning" if you want the event to be logged. Checkmark the "Notify user" field if you want to alerted to block activity occurring. Click on the OK button to create your rule.

Your rule will now be positioned at the bottom of all prior existing rules. You now must position the rule using the arrow keys provided to immediately proceeding the existing default incoming ICMP rule. Click on the OK tab and any subsequent shown one to save your changes. Finally, reenter the Firewall rules editor and validate your rule is positioned correctly.

Note: Eset processes firewall rules in top-to-bottom order. Your created block inbound ICMP echo reply rule will always be executed prior to the existing allow one.    

Thank you for your help. 

[Marcos 5,070]

By default echo to ping from outside trusted zones should be blocked. Please check if you have trusted zones configured properly.

[itman 1,659]

8 hours ago, Marcos said:

By default echo to ping from outside trusted zones should be blocked. Please check if you have trusted zones configured properly.

Personally, I never was concerned about unsolicited incoming echo reply request since my router's firewall blocks them by default.

As far as Eset goes, I have it set to defaults in regards to Known Networks; i.e. use Windows Settings. The Win firewall is set to Public profile.

Also for the record, the Eset default inbound firewall rule for ICMP IPv4 does not specify Trusted Networks in its Remote setting field. This would be the proper setting for the other ICMP protocol settings other than Echo Reply. Bottom line - you have a bug in that default ICMP rule. -EDIT- Actually, it doesn't matter if external incoming echo reply requests are allowed since Eset will only allow corresponding outgoing echo reponse requests from the Trusted Network. The only concern would be an ICMP flood attack which Eset's IDS will detect and alert.

Edited January 26, 2019 by itman

[fvmb 1]

Ok it´s seems that is everything alright, i have setted up using default windows settings for known networks and as you said ESET´s IDS will detect and alert about ICMP flood attack, it´s all basics covered. i will delete that new rule added because it´s not really needed.

Thank you guys for the help.