Block Ping request

Hello,

I need any body do not get ping of my router, how to possible it.

Regards,
Nishadul

Drop it in firewall.

How to write firewall rules, I have write it but not work from outside to my router ip
rule is : add chain=forward, protocol=icmp, action = drop

use chain=input, not chain=forward.

forward chain = THROUGH the router
input chain = TO the router

..

And blocking pings does not help security anymore… or at least being “invisible” is no help.

You should never drop all ICMP or you will silently break things like PMTU discovery. Be more specific with which ICMP types you drop.

Block ICMP packets and allow router to show as a hop on traceroutes;

/ip firewall filter add action=drop chain=forward disabled=yes icmp-options=8:0 protocol=icmp

Doesn’t Work!

Of course,

disabled=yes

is a very effective way to make non-working firewall rules

I did see that LoL. but still not working!

The order of rules matters, so a perfect rule on a wrong position in the chain cannot work because a matching packet never reaches it as it is always dropped or accepted by one of the earlier rules in that chain. Also a perfect rule in a wrong chain doesn’t do what you expect.

It works with:
/ip firewall filter add action=drop chain=input icmp-options=8:0-255 in-interface-list=WAN protocol=icmp

Make sure that it is at the top of the list

/ip firewall filter add action=drop chain=input dst-address=x.x.x.x protocol=icmp src-address=x.x.x.x/x

replaces the x with your network ip and range

How does that rule block icmp but allow icmp for certain purposes??
A. What ICMP traffic is necessary
B. What ICMP traffic needs to be blocked because presumably its insecure (assumption to be dispelled or supported).

I performed it this way. In the example the incoming pings are blocked to the WAN interface of the mikrotik, with the advantage that from the terminal of the mikrotik if pings can be performed outside and inside the network.

/ip firewall filter add chain=input protocol=icmp in-interface=YOUR-INTERFACE icmp-options=8:0-255 action=drop

I do use this, never had any problem with it.

/ip firewall filter add action=drop chain=input comment=“Drop ICMP on outside IF” in-interface=ether1 log=yes log-prefix=FI_D_ICMP-outside protocol=icmp

Does not need to be on top of rules as long as its not blocked by any other rule above.

Block rule has to be in input chain, since you like to block ping to the router. But if you have a nat rule that allow ping to an internal host and you would like to block some IP from ping internal host, you need to use forward chain, but I do not see why you should allow ping to an in internal host.

Blocked ping on my router last 12 hour.

_time	type	dir	act	rule	chain	in_if	out_if	src_mac	protocol	src_ip	src_port	dest_ip	dest_port	City	Country
2021-07-29 07:38:30	F	I	D	FI_D_ICMP-outside	input	ether1	(unknown 0)	00:05:00:01:00:01	ICMP	31.192.111.233	na	92.220.x.y	na		Russia
2021-07-29 06:18:27	F	I	D	FI_D_ICMP-outside	input	ether1	(unknown 0)	00:05:00:01:00:01	ICMP	45.131.68.37	na	92.220.x.y	na	St Petersburg	Russia
2021-07-29 06:02:00	F	I	D	FI_D_ICMP-outside	input	ether1	(unknown 0)	00:05:00:01:00:01	ICMP	110.54.236.38	na	92.220.x.y	na	San Fernando	Philippines
2021-07-29 05:46:48	F	I	D	FI_D_ICMP-outside	input	ether1	(unknown 0)	00:05:00:01:00:01	ICMP	185.94.111.1	na	92.220.x.y	na		Russia
2021-07-29 03:37:21	F	I	D	FI_D_ICMP-outside	input	ether1	(unknown 0)	00:05:00:01:00:01	ICMP	218.84.127.47	na	92.220.x.y	na		China
2021-07-29 02:57:15	F	I	D	FI_D_ICMP-outside	input	ether1	(unknown 0)	00:05:00:01:00:01	ICMP	106.76.70.70	na	92.220.x.y	na	Kolhapur	India
2021-07-29 01:53:24	F	I	D	FI_D_ICMP-outside	input	ether1	(unknown 0)	00:05:00:01:00:01	ICMP	110.35.161.178	na	92.220.x.y	na	Seoul	South Korea
2021-07-29 01:34:26	F	I	D	FI_D_ICMP-outside	input	ether1	(unknown 0)	00:05:00:01:00:01	ICMP	140.250.44.225	na	92.220.x.y	na	Zaozhuang	China
2021-07-29 01:16:07	F	I	D	FI_D_ICMP-outside	input	ether1	(unknown 0)	00:05:00:01:00:01	ICMP	155.94.222.154	na	92.220.x.y	na	Miami	United States
2021-07-29 01:11:55	F	I	D	FI_D_ICMP-outside	input	ether1	(unknown 0)	00:05:00:01:00:01	ICMP	154.54.7.158	na	92.220.x.y	na		United States
2021-07-29 01:02:30	F	I	D	FI_D_ICMP-outside	input	ether1	(unknown 0)	00:05:00:01:00:01	ICMP	196.11.176.22	na	92.220.x.y	na	Johannesburg	South Africa
2021-07-29 01:02:21	F	I	D	FI_D_ICMP-outside	input	ether1	(unknown 0)	00:05:00:01:00:01	ICMP	196.11.176.22	na	92.220.x.y	na	Johannesburg	South Africa
2021-07-29 01:02:17	F	I	D	FI_D_ICMP-outside	input	ether1	(unknown 0)	00:05:00:01:00:01	ICMP	196.11.176.22	na	92.220.x.y	na	Johannesburg	South Africa
2021-07-29 01:02:15	F	I	D	FI_D_ICMP-outside	input	ether1	(unknown 0)	00:05:00:01:00:01	ICMP	196.11.176.22	na	92.220.x.y	na	Johannesburg	South Africa
2021-07-29 01:02:14	F	I	D	FI_D_ICMP-outside	input	ether1	(unknown 0)	00:05:00:01:00:01	ICMP	196.11.176.22	na	92.220.x.y	na	Johannesburg	South Africa
2021-07-29 01:00:44	F	I	D	FI_D_ICMP-outside	input	ether1	(unknown 0)	00:05:00:01:00:01	ICMP	62.115.11.143	na	92.220.x.y	na		Sweden
2021-07-29 00:23:55	F	I	D	FI_D_ICMP-outside	input	ether1	(unknown 0)	00:05:00:01:00:01	ICMP	176.126.83.129	na	92.220.x.y	na	Milan	Italy
2021-07-29 00:12:33	F	I	D	FI_D_ICMP-outside	input	ether1	(unknown 0)	00:05:00:01:00:01	ICMP	216.99.159.229	na	92.220.x.y	na		United States
2021-07-29 00:12:33	F	I	D	FI_D_ICMP-outside	input	ether1	(unknown 0)	00:05:00:01:00:01	ICMP	216.99.159.228	na	92.220.x.y	na		United States
2021-07-29 00:12:33	F	I	D	FI_D_ICMP-outside	input	ether1	(unknown 0)	00:05:00:01:00:01	ICMP	216.99.159.226	na	92.220.x.y	na		United States
2021-07-29 00:12:33	F	I	D	FI_D_ICMP-outside	input	ether1	(unknown 0)	00:05:00:01:00:01	ICMP	216.99.149.205	na	92.220.x.y	na		United States
2021-07-29 00:12:33	F	I	D	FI_D_ICMP-outside	input	ether1	(unknown 0)	00:05:00:01:00:01	ICMP	216.99.149.203	na	92.220.x.y	na		United States
2021-07-29 00:12:33	F	I	D	FI_D_ICMP-outside	input	ether1	(unknown 0)	00:05:00:01:00:01	ICMP	23.228.199.37	na	92.220.x.y	na		United States
2021-07-28 23:58:49	F	I	D	FI_D_ICMP-outside	input	ether1	(unknown 0)	00:05:00:01:00:01	ICMP	209.209.59.230	na	92.220.x.y	na	Los Angeles	United States
2021-07-28 23:09:08	F	I	D	FI_D_ICMP-outside	input	ether1	(unknown 0)	00:05:00:01:00:01	ICMP	49.144.224.55	na	92.220.x.y	na	Lucena City	Philippines
2021-07-28 23:09:08	F	I	D	FI_D_ICMP-outside	input	ether1	(unknown 0)	00:05:00:01:00:01	ICMP	49.144.224.55	na	92.220.x.y	na	Lucena City	Philippines
2021-07-28 22:46:08	F	I	D	FI_D_ICMP-outside	input	ether1	(unknown 0)	00:05:00:01:00:01	ICMP	18.183.208.71	na	92.220.x.y	na	Tokyo	Japan
2021-07-28 20:35:03	F	I	D	FI_D_ICMP-outside	input	ether1	(unknown 0)	00:05:00:01:00:01	ICMP	101.80.200.157	na	92.220.x.y	na	Xuhui	China
2021-07-28 20:35:03	F	I	D	FI_D_ICMP-outside	input	ether1	(unknown 0)	00:05:00:01:00:01	ICMP	101.231.198.226	na	92.220.x.y	na	Shanghai	China
2021-07-28 20:02:45	F	I	D	FI_D_ICMP-outside	input	ether1	(unknown 0)	00:05:00:01:00:01	ICMP	216.99.159.229	na	92.220.x.y	na		United States
2021-07-28 20:02:45	F	I	D	FI_D_ICMP-outside	input	ether1	(unknown 0)	00:05:00:01:00:01	ICMP	216.99.159.228	na	92.220.x.y	na		United States
2021-07-28 20:02:45	F	I	D	FI_D_ICMP-outside	input	ether1	(unknown 0)	00:05:00:01:00:01	ICMP	216.99.159.226	na	92.220.x.y	na		United States
2021-07-28 20:02:45	F	I	D	FI_D_ICMP-outside	input	ether1	(unknown 0)	00:05:00:01:00:01	ICMP	216.99.149.205	na	92.220.x.y	na		United States
2021-07-28 20:02:45	F	I	D	FI_D_ICMP-outside	input	ether1	(unknown 0)	00:05:00:01:00:01	ICMP	216.99.149.203	na	92.220.x.y	na		United States
2021-07-28 20:02:45	F	I	D	FI_D_ICMP-outside	input	ether1	(unknown 0)	00:05:00:01:00:01	ICMP	23.228.199.37	na	92.220.x.y	na		United States

Top Country pinging me last 7 days

Country	count	percent
United States	319	29.373849
Morocco	210	19.337017
India	74	6.813996
Pakistan	72	6.629834
Philippines	53	4.880295
Australia	53	4.880295
China	46	4.235727
United Kingdom	26	2.394107
Russia	20	1.841621
Belgium	19	1.749540

Which proves that USA is cyber-crime infested country, possibly many of those criminals are state sponsored or outright state agencies employees.

Ummm … wait, isn’t western world saying that about Russia and China? Now I’m confused.

You don’t seriously relate the source IP address of an attack with the person behind that attack, do you? I’m afraid that there are simply most public IPv4 addresses per country in the U.S., so if we assume that the share of vulnerable systems is equal everywhere, the most zombies following someone else’s command must be in the U.S. as well.

Leaving aside that many ISPs worldwide let you spoof any source IP address you want. Hence wherever the attacker is not interested in the response, or where the response itself is the attack bullet (DNS response DDoS), you cannot base any conclusions on the source address.

And I sincerely hope that the intelligence agencies worldwide know this and use other criteria when identifying the attacks. What politicians make out of their reports is another can of worms of course.

@sindy, if your post is reply to mine … I guess I should have put the whole post inside [sarcasm] [/sarcasm] block. I’m fully aware of the facts you’re describing (but your post is till welcome to remind us all of those facts).

Just for the fun of it. Here are the blocked ping for 1 year!!

Country			count	percent
United States		13456	16.513874
China			8960	10.996159
United Kingdom		8193	10.054858
India			7742	9.501368
Germany			4100	5.031724
Philippines		2754	3.379846
Brazil			2383	2.924536
Russia			2189	2.686450
Norway			2005	2.460636
Pakistan		1905	2.337911
OTHER			27796	34.112637

So I will blame US to be the worst country

If you look at all who has tried any non open port (being blocked by this), US IP stays for nearly 20% of the blocked IP

Actually the worst country is OTHER. Just can’t find it on the Globe.

Oh, I forgot to include the [sarcasm] [/sarcasm] block … again.