icmp in mikrotik

moeinfrozen · July 8, 2022, 5:47pm

hi i want drop icmp input from every place
but accept icmp output to every address

this is my firewall role but not work

/ip firewall filter
add action=accept chain=input protocol=icmp src-address=
176.18.80.82-246.255.123.86
add action=accept chain=output dst-address=176.18.80.82-246.255.123.86
protocol=icmp
add action=accept chain=output protocol=icmp
add action=drop chain=input protocol=icmp

please help me .
thanks

anav · July 8, 2022, 6:48pm

Why do you want to drop icmp?? Makes no sense.

rextended · July 8, 2022, 7:58pm

make also nonsense still be able to ping outside but… do not accept the reply…

this 176.18.80.82-246.255.123.86 mean every single IP from 176.18.80.82 to 246.255.123.86. (246??? hmm…)
if you want allow only two or more IP, better use address list
(or at least use the comma 176.18.80.82,246.255.123.86)

sindy · July 9, 2022, 10:54am

Dropping all ICMP blindly is a bad idea - ICMP is not just ping, it also serves other roles. In your case in particular, where you don’t use a stateful firewall, your chain=input protocol=icmp action=drop rule drops also responses to ping requests you’ve sent yourself.

So I’d recommend to learn first what a stateful firewall means and how it works, and how to filter ICMP echo packets selectively next. Look up how to use icmp-options.

technick · July 9, 2022, 5:02pm

There are some good ICMP guidelines on MikroTik’s docs (Building Advanced Firewall):
https://help.mikrotik.com/docs/display/ROS/Building+Advanced+Firewall

It also explains how the rules work, as well as some advanced ICMP rules.

anav · July 10, 2022, 11:04am

Most of those rules should be avoided by the new user and the homeowner.
Just allow ICMP as per the default rule and get on with life, there will be no downside.

moeinfrozen · July 21, 2022, 6:22pm

It is possible that some users do unauthorized things on the server and I am afraid that the data center will raise this issue knowing that the server is online.

moeinfrozen · July 21, 2022, 6:23pm

What should I do for the security of the Mikrotik server so that there is no problem?

moeinfrozen · July 21, 2022, 6:27pm

Can you please tell me about the things that you usually suggest to be blocked on the server and the things that users should not do on the server?
The server is dedicated to online games, including computers and game consoles
Thankful

Zacharias · July 21, 2022, 6:55pm

I will agree with @sindy.
Dropping all ICMP packets is really bad…
But dropping selectively though, there are occasions that it is a good practice..

johnson73 · July 22, 2022, 6:51am

I can say from experience that if I allow all incoming ICMP, icmp flood happens quite regularly to my IP. I started using the following method.. That could be right? Drop only incoming icmp Wan traffic, but allow all LAN icmp. For now, this option seems to help. Maybe have any other suggestions?
Thank you!

add action=drop chain=input comment="Drop Wan ICMP" icmp-options=8:0 in-interface-list=WAN protocol=icmp \
    src-address-list=!Local-LAN

anav · July 22, 2022, 12:17pm

That is strange Johnson, why you and not me for example. Do you host any servers?
Perhaps its very ISP dependent?
I know for example Bell one of my ISPs blocks ICMP automatically on the modem/router they provide, but not on the internet connection, itself.

johnson73 · July 22, 2022, 1:08pm

No, I don’t host servers. Recently, there have been a lot of icmp, udp floods coming directly from Russian IP addresses. It’s not a nice situation, but when I enable icmp-All, my Internet connection really slows down because the channel is overloaded at the time of attacks. It’s not all the time, but mostly in the evenings.
It all started from the moment I used the P2P program. Maybe the botnets have captured my static IP and are now trying to hack it

anav · July 22, 2022, 4:39pm

Hopefully others will chime in with some suggestions…

rextended · July 22, 2022, 4:48pm

What makes your “server” attractive is not the fact that it responds to ping or not (which anyway even without a firewall is limited to 100 in the kernel),
but the fact that it hosts a server.
What other server ports respond, what game is it, is it a private server that only those who know the IP use it or is it open to the public?

Obviously, if it is open, anything can happen, ping or not …

Seriously consider using cloudflare’s services for protection against these kinds of problems.

Often the attackers are then the users frustrated by the fact that they are not good at a ----,
that they have been kicked out, or because the server is full, or maybe they are competitors…

johnson73 · July 22, 2022, 5:06pm

the situation was quite simple. This is home Lan-s. No servers, no hosting. I rarely use a P2P (torrent client) to download information that interests me. Everything. Then the problems started. Some time ago, I had a dynamic IP from the provider, and then there were no problems, because the IP changed all the time, but now I have a Static IP, which is probably fixed in some bot network.
That’s why I had a question - is the icmp blocking method as I described above normal? I don’t know, but it seems to me that this method helps, because I have not noticed the overload of the Internet channel anymore.

anav · July 22, 2022, 5:10pm

Technically I believe running PTP is akin to running a server?

rextended · July 22, 2022, 5:24pm

Yes, running p2p is like running dozen of servers…

holvoetn · July 22, 2022, 5:49pm

And favorite playground for hackers.
So little doubt where they got your ip…

anav · July 22, 2022, 6:17pm

Assuming thats why people I know only p2p over vpn connections…