Jump to content

Recommended Posts

Hello,

Can you please help me to create the rule to block reply to ping ICMP Echo on firewall.

Thanks in advanced.

 

Share this post


Link to post
Share on other sites

Do you mean ping from the trusted zone or from outside the trusted zone?

Share this post


Link to post
Share on other sites
Just now, Marcos said:

Do you mean blocking it in the trusted zone our from outside the trusted zone?

From outside the trusted zone.

Share this post


Link to post
Share on other sites

Below is a screen shot of Eset default firewall rule for inbound IPv4 ICMP including echo reply:

Eset_ICMP_Echo_Reply.png.2acc2cf8329d8f02842d0971e33d097b.png

Assuming you want to block inbound IPv4 ICMP echo reply, you need to create a similar rule specifying only ICMP Type/code of "0" less the quote marks. Set the Name field to "Block incoming ICMP echo reply communication." Set Action field to Block. Set Protocol field to ICMP. Set Logging severity to "Warning" if you want the event to be logged. Checkmark the "Notify user" field if you want to alerted to block activity occurring. Click on the OK button to create your rule.

Your rule will now be positioned at the bottom of all prior existing rules. You now must position the rule using the arrow keys provided to immediately proceeding the existing default incoming ICMP rule. Click on the OK tab and any subsequent shown one to save your changes. Finally, reenter the Firewall rules editor and validate your rule is positioned correctly.

Note: Eset processes firewall rules in top-to-bottom order. Your created block inbound ICMP echo reply rule will always be executed prior to the existing allow one.    

Share this post


Link to post
Share on other sites
2 hours ago, itman said:

Below is a screen shot of Eset default firewall rule for inbound IPv4 ICMP including echo reply:

Eset_ICMP_Echo_Reply.png.2acc2cf8329d8f02842d0971e33d097b.png

Assuming you want to block inbound IPv4 ICMP echo reply, you need to create a similar rule specifying only ICMP Type/code of "0" less the quote marks. Set the Name field to "Block incoming ICMP echo reply communication." Set Action field to Block. Set Protocol field to ICMP. Set Logging severity to "Warning" if you want the event to be logged. Checkmark the "Notify user" field if you want to alerted to block activity occurring. Click on the OK button to create your rule.

Your rule will now be positioned at the bottom of all prior existing rules. You now must position the rule using the arrow keys provided to immediately proceeding the existing default incoming ICMP rule. Click on the OK tab and any subsequent shown one to save your changes. Finally, reenter the Firewall rules editor and validate your rule is positioned correctly.

Note: Eset processes firewall rules in top-to-bottom order. Your created block inbound ICMP echo reply rule will always be executed prior to the existing allow one.    

Thank you for your help. 

Share this post


Link to post
Share on other sites

By default echo to ping from outside trusted zones should be blocked. Please check if you have trusted zones configured properly.

Share this post


Link to post
Share on other sites
8 hours ago, Marcos said:

By default echo to ping from outside trusted zones should be blocked. Please check if you have trusted zones configured properly.

Personally, I never was concerned about unsolicited incoming echo reply request since my router's firewall blocks them by default.

As far as Eset goes, I have it set to defaults in regards to Known Networks; i.e. use Windows Settings. The Win firewall is set to Public profile.

Also for the record, the Eset default inbound firewall rule for ICMP IPv4 does not specify Trusted Networks in its Remote setting field. This would be the proper setting for the other ICMP protocol settings other than Echo Reply. Bottom line - you have a bug in that default ICMP rule. -EDIT- Actually, it doesn't matter if external incoming echo reply requests are allowed since Eset will only allow corresponding outgoing echo reponse requests from the Trusted Network. The only concern would be an ICMP flood attack which Eset's IDS will detect and alert.

Edited by itman

Share this post


Link to post
Share on other sites

Ok it´s seems that is everything alright, i have setted up using default windows settings for known networks and as you said ESET´s IDS will detect and alert about ICMP flood attack, it´s all basics covered. i will delete that new rule added because it´s not really needed.

Thank you guys for the help. 

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

  • Recently Browsing   0 members

    No registered users viewing this page.

×