Community discussions

MUM Europe 2020
 
trottolino1970
Member Candidate
Member Candidate
Topic Author
Posts: 192
Joined: Thu May 17, 2007 4:25 pm
Contact:

It's good to block ping........

Tue Jun 17, 2008 1:43 pm

It's good to block ping from the internet to my customer?
 
User avatar
balimore
Forum Veteran
Forum Veteran
Posts: 892
Joined: Mon Apr 10, 2006 3:38 am

Re: It's good to block ping........

Tue Jun 17, 2008 1:54 pm

-----
Hai fren,

no, and better when it traffic will put difference traffic on the networks.
i love investigation with ping command simple for. :wink:

regards
Hasbullah.com
------
 
trottolino1970
Member Candidate
Member Candidate
Topic Author
Posts: 192
Joined: Thu May 17, 2007 4:25 pm
Contact:

Re: It's good to block ping........

Tue Jun 17, 2008 1:58 pm

-----
Hai fren,

no, and better when it traffic will put difference traffic on the networks.
i love investigation with ping command simple for. :wink:

regards
Hasbullah.com
------
yes ok but if i block ping isn't a new security for my customers to prevent attack?
 
User avatar
hilton
Long time Member
Long time Member
Posts: 635
Joined: Thu Sep 07, 2006 5:12 pm
Location: Jozi (aka Johannesburg), South Africa

Re: It's good to block ping........

Tue Jun 17, 2008 4:41 pm

You should only block certain (type/code) ICMP packets, not unilaterally.

So accept 0:0 and 8:0 (both Ping) and 11:0 and 3:3 (both traceroute) and 3:4 (Path MTU Discovery) and then drop the rest.
Regards
Hilton
 
trottolino1970
Member Candidate
Member Candidate
Topic Author
Posts: 192
Joined: Thu May 17, 2007 4:25 pm
Contact:

Re: It's good to block ping........

Tue Jun 17, 2008 4:45 pm

You should only block certain (type/code) ICMP packets, not unilaterally.

So accept 0:0 and 8:0 (both Ping) and 11:0 and 3:3 (both traceroute) and 3:4 (Path MTU Discovery) and then drop the rest.
can you help me writing a good rule?
 
User avatar
hilton
Long time Member
Long time Member
Posts: 635
Joined: Thu Sep 07, 2006 5:12 pm
Location: Jozi (aka Johannesburg), South Africa

Re: It's good to block ping........

Tue Jun 17, 2008 5:01 pm

This should done in a jump rule but here goes nevertheless;

/ip firewall filter add chain=forward protocol=icmp icmp-options=0:0 action=accept comment="Allow Ping"
/ip firewall filter add chain=forward protocol=icmp icmp-options=8:0 action=accept comment="Allow Ping"
/ip firewall filter add chain=forward protocol=icmp icmp-options=11:0 action=accept comment="Allow Traceroute"
/ip firewall filter add chain=forward protocol=icmp icmp-options=3:3 action=accept comment="Allow Traceroute"
/ip firewall filter add chain=forward protocol=icmp icmp-options=3:4 action=accept comment="Allow Path MTU Discovery"
/ip firewall filter add chain=forward protocol=icmp action=drop comment="Drop all other ICMP"

This will allow your users/customers to use these utilities but you'll probably want to do something similar with the input chain, although this depends on whether you ping and tracert from the router itself.

Perhaps a rate limiting ping like this;
/ip firewall filter add chain=input action=accept protocol=icmp limit=50/5s,2

Hope this helps.
Last edited by hilton on Tue Jun 17, 2008 5:05 pm, edited 1 time in total.
Regards
Hilton
 
trottolino1970
Member Candidate
Member Candidate
Topic Author
Posts: 192
Joined: Thu May 17, 2007 4:25 pm
Contact:

Re: It's good to block ping........

Tue Jun 17, 2008 5:03 pm

This should done in a jump rule but here goes nevertheless;

/ip firewall filter add chain=forward protocol=icmp icmp-options=0:0 action=accept comment="Allow Ping"
/ip firewall filter add chain=forward protocol=icmp icmp-options=8:0 action=accept comment="Allow Ping"
/ip firewall filter add chain=forward protocol=icmp icmp-options=11:0 action=accept comment="Allow Traceroute"
/ip firewall filter add chain=forward protocol=icmp icmp-options=3:3 action=accept comment="Allow Traceroute"
/ip firewall filter add chain=forward protocol=icmp icmp-options=3:4 action=accept comment="Allow Path MTU Discovery"
/ip firewall filter add chain=forward protocol=icmp action=drop comment="Drop all other ICMP"

Hope this helps.
ok i try it and then explain eventually problem
thankyou
 
trottolino1970
Member Candidate
Member Candidate
Topic Author
Posts: 192
Joined: Thu May 17, 2007 4:25 pm
Contact:

Re: It's good to block ping........

Tue Jun 17, 2008 5:31 pm

ok i write it but all is ok execept the last that dont produce traffic. It's normal?
 
User avatar
hilton
Long time Member
Long time Member
Posts: 635
Joined: Thu Sep 07, 2006 5:12 pm
Location: Jozi (aka Johannesburg), South Africa

Re: It's good to block ping........

Tue Jun 17, 2008 5:33 pm

that will produce traffic when someone tries any of the other ICMP codes.

try this, disable the two ping rules and try and ping an external address (from a workstation).
Regards
Hilton
 
User avatar
moazdabsheh
Frequent Visitor
Frequent Visitor
Posts: 54
Joined: Mon Mar 24, 2014 3:10 am
Location: Palestine

Re: It's good to block ping........

Sun Apr 06, 2014 9:54 pm

what about blocking only the trace ?? is it possible ?
 
francisuk24
newbie
Posts: 28
Joined: Tue Mar 18, 2014 12:10 am
Location: United Kingdom
Contact:

Re: It's good to block ping........

Mon Apr 07, 2014 4:26 am

It's good to block ping from the internet to my customer?
Depends, If they have Gaming certin games need to ping like battlefield and CSS etc
RouterBoard RB750R2, RouterOS Level 4
ISP: Zen Internet via VDSL 2 > 74.68Mb Down / 17.84Mb Up
 
User avatar
docmarius
Forum Guru
Forum Guru
Posts: 1220
Joined: Sat Nov 06, 2010 12:04 pm
Location: Timisoara, Romania
Contact:

Re: It's good to block ping........

Mon Apr 07, 2014 8:07 am

Blocking ping is not security, just obscurity.
There are various other means to explore the network.
Torturing CCR1009-7G-1C-1S+, RB450G, RB750GL, RB951G-2HnD, RB960PGS, RB260GSP, OmniTIK 5HnD and NetMetal 922UAGS-5HPacD + R11e-5HnD in my home network.
 
onnoossendrijver
Member
Member
Posts: 418
Joined: Mon Jul 14, 2008 11:10 am
Location: The Netherlands

Re: It's good to block ping........

Mon Apr 07, 2014 1:17 pm

Most ping/ICMP traffic is way too useful (for troubleshooting ) to block in my opinion.
Blocking it is definitely not a security measure.
Linux/network engineer: ITIL, LPI1, CCNA R+S, CCNP R+S, JNCIA, JNCIS-SEC
 
User avatar
moazdabsheh
Frequent Visitor
Frequent Visitor
Posts: 54
Joined: Mon Mar 24, 2014 3:10 am
Location: Palestine

Re: It's good to block ping........

Mon Apr 07, 2014 4:11 pm

what about blocking trace route ??
 
User avatar
docmarius
Forum Guru
Forum Guru
Posts: 1220
Joined: Sat Nov 06, 2010 12:04 pm
Location: Timisoara, Romania
Contact:

Re: It's good to block ping........

Mon Apr 07, 2014 10:36 pm

You could pass all needed traffic and block the rest via sound firewall rules.
In that case, traceroute will be of no use for hacking.
But you can block it, of course.
Just that YOU won't be able to use it either.

Speaking of customers: If you provide them with real IP addresses, then a customer would expect to have full access to/from his IP, including traceroute and ping from the outside. If the customer wants, he still can block ping/traceroute at his endpoint.
If those addresses are NAT-ed, then it doesn't matter since you can not trace anything from the outside past the router. But from the inside, one still expects traceroute to work.

The only thing worth blocking is port 25 (SMTP) in both directions and offering a local SMTP server for mail sending, thus preventing unwanted direct spamming by malicious software. Of course with an option to opt-out of the blocking, if one needs to run his own mail server.
Torturing CCR1009-7G-1C-1S+, RB450G, RB750GL, RB951G-2HnD, RB960PGS, RB260GSP, OmniTIK 5HnD and NetMetal 922UAGS-5HPacD + R11e-5HnD in my home network.

Who is online

Users browsing this forum: No registered users and 43 guests