Community discussions

MikroTik App
 
nishadul
Member Candidate
Member Candidate
Topic Author
Posts: 161
Joined: Thu Dec 13, 2012 12:04 pm
Location: Bangladesh

Block Ping request

Wed Aug 10, 2016 6:33 pm

Hello,

I need any body do not get ping of my router, how to possible it.

Regards,
Nishadul
 
jarda
Forum Guru
Forum Guru
Posts: 7756
Joined: Mon Oct 22, 2012 4:46 pm

Re: Block Ping request

Wed Aug 10, 2016 6:47 pm

Drop it in firewall.
 
nishadul
Member Candidate
Member Candidate
Topic Author
Posts: 161
Joined: Thu Dec 13, 2012 12:04 pm
Location: Bangladesh

Re: Block Ping request

Wed Aug 10, 2016 6:52 pm

Drop it in firewall.

How to write firewall rules, I have write it but not work from outside to my router ip
rule is : add chain=forward, protocol=icmp, action = drop
 
User avatar
ZeroByte
Forum Guru
Forum Guru
Posts: 4047
Joined: Wed May 11, 2011 6:08 pm

Re: Block Ping request

Wed Aug 10, 2016 8:47 pm

use chain=input, not chain=forward.

forward chain = THROUGH the router
input chain = TO the router

..

And blocking pings does not help security anymore... or at least being "invisible" is no help.
 
R1CH
Forum Guru
Forum Guru
Posts: 1098
Joined: Sun Oct 01, 2006 11:44 pm

Re: Block Ping request

Wed Aug 10, 2016 10:37 pm

Drop it in firewall.

How to write firewall rules, I have write it but not work from outside to my router ip
rule is : add chain=forward, protocol=icmp, action = drop
You should never drop all ICMP or you will silently break things like PMTU discovery. Be more specific with which ICMP types you drop.
 
emikrotik
Frequent Visitor
Frequent Visitor
Posts: 71
Joined: Fri Jun 19, 2015 9:30 am

Re: Block Ping request

Fri Aug 19, 2016 10:16 am

Block ICMP packets and allow router to show as a hop on traceroutes;

/ip firewall filter add action=drop chain=forward disabled=yes icmp-options=8:0 protocol=icmp
 
User avatar
cyon
Frequent Visitor
Frequent Visitor
Posts: 62
Joined: Tue Apr 29, 2014 12:58 pm

Re: Block Ping request

Fri Aug 02, 2019 11:26 am

Block ICMP packets and allow router to show as a hop on traceroutes;

/ip firewall filter add action=drop chain=forward disabled=yes icmp-options=8:0 protocol=icmp
Doesn't Work!
 
nostromog
Member Candidate
Member Candidate
Posts: 226
Joined: Wed Jul 18, 2018 3:39 pm

Re: Block Ping request

Fri Aug 02, 2019 11:34 am

Block ICMP packets and allow router to show as a hop on traceroutes;

/ip firewall filter add action=drop chain=forward disabled=yes icmp-options=8:0 protocol=icmp
Doesn't Work!
Of course,
disabled=yes
is a very effective way to make non-working firewall rules :)
 
User avatar
cyon
Frequent Visitor
Frequent Visitor
Posts: 62
Joined: Tue Apr 29, 2014 12:58 pm

Re: Block Ping request

Fri Aug 02, 2019 11:45 am

Block ICMP packets and allow router to show as a hop on traceroutes;

/ip firewall filter add action=drop chain=forward disabled=yes icmp-options=8:0 protocol=icmp
Doesn't Work!
Of course,
disabled=yes
is a very effective way to make non-working firewall rules :)
I did see that LoL. but still not working!
 
sindy
Forum Guru
Forum Guru
Posts: 10205
Joined: Mon Dec 04, 2017 9:19 pm

Re: Block Ping request

Fri Aug 02, 2019 12:05 pm

The order of rules matters, so a perfect rule on a wrong position in the chain cannot work because a matching packet never reaches it as it is always dropped or accepted by one of the earlier rules in that chain. Also a perfect rule in a wrong chain doesn't do what you expect.
 
pravyroxor
just joined
Posts: 3
Joined: Tue Apr 23, 2019 8:09 am

Re: Block Ping request

Wed Aug 05, 2020 11:37 am

It works with:
/ip firewall filter add action=drop chain=input icmp-options=8:0-255 in-interface-list=WAN protocol=icmp
Block ICMP packets and allow router to show as a hop on traceroutes;

/ip firewall filter add action=drop chain=forward disabled=yes icmp-options=8:0 protocol=icmp
Doesn't Work!
Of course,
disabled=yes
is a very effective way to make non-working firewall rules :)
I did see that LoL. but still not working!
 
geebee63
just joined
Posts: 6
Joined: Tue Nov 10, 2020 6:43 pm

Re: Block Ping request

Sun Nov 15, 2020 2:56 pm

Make sure that it is at the top of the list

/ip firewall filter add action=drop chain=input dst-address=x.x.x.x protocol=icmp src-address=x.x.x.x/x

replaces the x with your network ip and range
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18958
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Block Ping request

Sun Nov 15, 2020 5:00 pm

How does that rule block icmp but allow icmp for certain purposes??
A. What ICMP traffic is necessary
B. What ICMP traffic needs to be blocked because presumably its insecure (assumption to be dispelled or supported).
 
lobo2mil9
just joined
Posts: 1
Joined: Mon Jul 26, 2021 9:56 pm

Re: Block Ping request

Mon Jul 26, 2021 10:12 pm

I performed it this way. In the example the incoming pings are blocked to the WAN interface of the mikrotik, with the advantage that from the terminal of the mikrotik if pings can be performed outside and inside the network.

/ip firewall filter add chain=input protocol=icmp in-interface=YOUR-INTERFACE icmp-options=8:0-255 action=drop
 
User avatar
Jotne
Forum Guru
Forum Guru
Posts: 3279
Joined: Sat Dec 24, 2016 11:17 am
Location: Magrathean

Re: Block Ping request

Thu Jul 29, 2021 8:41 am

I do use this, never had any problem with it.
/ip firewall filter add action=drop chain=input comment="Drop ICMP on outside IF" in-interface=ether1 log=yes log-prefix=FI_D_ICMP-outside protocol=icmp
Does not need to be on top of rules as long as its not blocked by any other rule above.

Block rule has to be in input chain, since you like to block ping to the router. But if you have a nat rule that allow ping to an internal host and you would like to block some IP from ping internal host, you need to use forward chain, but I do not see why you should allow ping to an in internal host.

Blocked ping on my router last 12 hour.
_time	type	dir	act	rule	chain	in_if	out_if	src_mac	protocol	src_ip	src_port	dest_ip	dest_port	City	Country
2021-07-29 07:38:30	F	I	D	FI_D_ICMP-outside	input	ether1	(unknown 0)	00:05:00:01:00:01	ICMP	31.192.111.233	na	92.220.x.y	na		Russia
2021-07-29 06:18:27	F	I	D	FI_D_ICMP-outside	input	ether1	(unknown 0)	00:05:00:01:00:01	ICMP	45.131.68.37	na	92.220.x.y	na	St Petersburg	Russia
2021-07-29 06:02:00	F	I	D	FI_D_ICMP-outside	input	ether1	(unknown 0)	00:05:00:01:00:01	ICMP	110.54.236.38	na	92.220.x.y	na	San Fernando	Philippines
2021-07-29 05:46:48	F	I	D	FI_D_ICMP-outside	input	ether1	(unknown 0)	00:05:00:01:00:01	ICMP	185.94.111.1	na	92.220.x.y	na		Russia
2021-07-29 03:37:21	F	I	D	FI_D_ICMP-outside	input	ether1	(unknown 0)	00:05:00:01:00:01	ICMP	218.84.127.47	na	92.220.x.y	na		China
2021-07-29 02:57:15	F	I	D	FI_D_ICMP-outside	input	ether1	(unknown 0)	00:05:00:01:00:01	ICMP	106.76.70.70	na	92.220.x.y	na	Kolhapur	India
2021-07-29 01:53:24	F	I	D	FI_D_ICMP-outside	input	ether1	(unknown 0)	00:05:00:01:00:01	ICMP	110.35.161.178	na	92.220.x.y	na	Seoul	South Korea
2021-07-29 01:34:26	F	I	D	FI_D_ICMP-outside	input	ether1	(unknown 0)	00:05:00:01:00:01	ICMP	140.250.44.225	na	92.220.x.y	na	Zaozhuang	China
2021-07-29 01:16:07	F	I	D	FI_D_ICMP-outside	input	ether1	(unknown 0)	00:05:00:01:00:01	ICMP	155.94.222.154	na	92.220.x.y	na	Miami	United States
2021-07-29 01:11:55	F	I	D	FI_D_ICMP-outside	input	ether1	(unknown 0)	00:05:00:01:00:01	ICMP	154.54.7.158	na	92.220.x.y	na		United States
2021-07-29 01:02:30	F	I	D	FI_D_ICMP-outside	input	ether1	(unknown 0)	00:05:00:01:00:01	ICMP	196.11.176.22	na	92.220.x.y	na	Johannesburg	South Africa
2021-07-29 01:02:21	F	I	D	FI_D_ICMP-outside	input	ether1	(unknown 0)	00:05:00:01:00:01	ICMP	196.11.176.22	na	92.220.x.y	na	Johannesburg	South Africa
2021-07-29 01:02:17	F	I	D	FI_D_ICMP-outside	input	ether1	(unknown 0)	00:05:00:01:00:01	ICMP	196.11.176.22	na	92.220.x.y	na	Johannesburg	South Africa
2021-07-29 01:02:15	F	I	D	FI_D_ICMP-outside	input	ether1	(unknown 0)	00:05:00:01:00:01	ICMP	196.11.176.22	na	92.220.x.y	na	Johannesburg	South Africa
2021-07-29 01:02:14	F	I	D	FI_D_ICMP-outside	input	ether1	(unknown 0)	00:05:00:01:00:01	ICMP	196.11.176.22	na	92.220.x.y	na	Johannesburg	South Africa
2021-07-29 01:00:44	F	I	D	FI_D_ICMP-outside	input	ether1	(unknown 0)	00:05:00:01:00:01	ICMP	62.115.11.143	na	92.220.x.y	na		Sweden
2021-07-29 00:23:55	F	I	D	FI_D_ICMP-outside	input	ether1	(unknown 0)	00:05:00:01:00:01	ICMP	176.126.83.129	na	92.220.x.y	na	Milan	Italy
2021-07-29 00:12:33	F	I	D	FI_D_ICMP-outside	input	ether1	(unknown 0)	00:05:00:01:00:01	ICMP	216.99.159.229	na	92.220.x.y	na		United States
2021-07-29 00:12:33	F	I	D	FI_D_ICMP-outside	input	ether1	(unknown 0)	00:05:00:01:00:01	ICMP	216.99.159.228	na	92.220.x.y	na		United States
2021-07-29 00:12:33	F	I	D	FI_D_ICMP-outside	input	ether1	(unknown 0)	00:05:00:01:00:01	ICMP	216.99.159.226	na	92.220.x.y	na		United States
2021-07-29 00:12:33	F	I	D	FI_D_ICMP-outside	input	ether1	(unknown 0)	00:05:00:01:00:01	ICMP	216.99.149.205	na	92.220.x.y	na		United States
2021-07-29 00:12:33	F	I	D	FI_D_ICMP-outside	input	ether1	(unknown 0)	00:05:00:01:00:01	ICMP	216.99.149.203	na	92.220.x.y	na		United States
2021-07-29 00:12:33	F	I	D	FI_D_ICMP-outside	input	ether1	(unknown 0)	00:05:00:01:00:01	ICMP	23.228.199.37	na	92.220.x.y	na		United States
2021-07-28 23:58:49	F	I	D	FI_D_ICMP-outside	input	ether1	(unknown 0)	00:05:00:01:00:01	ICMP	209.209.59.230	na	92.220.x.y	na	Los Angeles	United States
2021-07-28 23:09:08	F	I	D	FI_D_ICMP-outside	input	ether1	(unknown 0)	00:05:00:01:00:01	ICMP	49.144.224.55	na	92.220.x.y	na	Lucena City	Philippines
2021-07-28 23:09:08	F	I	D	FI_D_ICMP-outside	input	ether1	(unknown 0)	00:05:00:01:00:01	ICMP	49.144.224.55	na	92.220.x.y	na	Lucena City	Philippines
2021-07-28 22:46:08	F	I	D	FI_D_ICMP-outside	input	ether1	(unknown 0)	00:05:00:01:00:01	ICMP	18.183.208.71	na	92.220.x.y	na	Tokyo	Japan
2021-07-28 20:35:03	F	I	D	FI_D_ICMP-outside	input	ether1	(unknown 0)	00:05:00:01:00:01	ICMP	101.80.200.157	na	92.220.x.y	na	Xuhui	China
2021-07-28 20:35:03	F	I	D	FI_D_ICMP-outside	input	ether1	(unknown 0)	00:05:00:01:00:01	ICMP	101.231.198.226	na	92.220.x.y	na	Shanghai	China
2021-07-28 20:02:45	F	I	D	FI_D_ICMP-outside	input	ether1	(unknown 0)	00:05:00:01:00:01	ICMP	216.99.159.229	na	92.220.x.y	na		United States
2021-07-28 20:02:45	F	I	D	FI_D_ICMP-outside	input	ether1	(unknown 0)	00:05:00:01:00:01	ICMP	216.99.159.228	na	92.220.x.y	na		United States
2021-07-28 20:02:45	F	I	D	FI_D_ICMP-outside	input	ether1	(unknown 0)	00:05:00:01:00:01	ICMP	216.99.159.226	na	92.220.x.y	na		United States
2021-07-28 20:02:45	F	I	D	FI_D_ICMP-outside	input	ether1	(unknown 0)	00:05:00:01:00:01	ICMP	216.99.149.205	na	92.220.x.y	na		United States
2021-07-28 20:02:45	F	I	D	FI_D_ICMP-outside	input	ether1	(unknown 0)	00:05:00:01:00:01	ICMP	216.99.149.203	na	92.220.x.y	na		United States
2021-07-28 20:02:45	F	I	D	FI_D_ICMP-outside	input	ether1	(unknown 0)	00:05:00:01:00:01	ICMP	23.228.199.37	na	92.220.x.y	na		United States
Top Country pinging me last 7 days
Country	count	percent
United States	319	29.373849
Morocco	210	19.337017
India	74	6.813996
Pakistan	72	6.629834
Philippines	53	4.880295
Australia	53	4.880295
China	46	4.235727
United Kingdom	26	2.394107
Russia	20	1.841621
Belgium	19	1.749540
 
User avatar
mkx
Forum Guru
Forum Guru
Posts: 11381
Joined: Thu Mar 03, 2016 10:23 pm

Re: Block Ping request

Thu Jul 29, 2021 8:55 am

Top Country pinging me last 7 days

Which proves that USA is cyber-crime infested country, possibly many of those criminals are state sponsored or outright state agencies employees.

Ummm ... wait, isn't western world saying that about Russia and China? Now I'm confused.
 
sindy
Forum Guru
Forum Guru
Posts: 10205
Joined: Mon Dec 04, 2017 9:19 pm

Re: Block Ping request

Thu Jul 29, 2021 9:12 am

You don't seriously relate the source IP address of an attack with the person behind that attack, do you? I'm afraid that there are simply most public IPv4 addresses per country in the U.S., so if we assume that the share of vulnerable systems is equal everywhere, the most zombies following someone else's command must be in the U.S. as well.

Leaving aside that many ISPs worldwide let you spoof any source IP address you want. Hence wherever the attacker is not interested in the response, or where the response itself is the attack bullet (DNS response DDoS), you cannot base any conclusions on the source address.

And I sincerely hope that the intelligence agencies worldwide know this and use other criteria when identifying the attacks. What politicians make out of their reports is another can of worms of course.
 
User avatar
mkx
Forum Guru
Forum Guru
Posts: 11381
Joined: Thu Mar 03, 2016 10:23 pm

Re: Block Ping request

Thu Jul 29, 2021 11:40 am

@sindy, if your post is reply to mine ... I guess I should have put the whole post inside [sarcasm] [/sarcasm] block. I'm fully aware of the facts you're describing (but your post is till welcome to remind us all of those facts).
 
User avatar
Jotne
Forum Guru
Forum Guru
Posts: 3279
Joined: Sat Dec 24, 2016 11:17 am
Location: Magrathean

Re: Block Ping request

Thu Jul 29, 2021 2:32 pm

Just for the fun of it. Here are the blocked ping for 1 year!!
Country			count	percent
United States		13456	16.513874
China			8960	10.996159
United Kingdom		8193	10.054858
India			7742	9.501368
Germany			4100	5.031724
Philippines		2754	3.379846
Brazil			2383	2.924536
Russia			2189	2.686450
Norway			2005	2.460636
Pakistan		1905	2.337911
OTHER			27796	34.112637
So I will blame US to be the worst country ;)

If you look at all who has tried any non open port (being blocked by this), US IP stays for nearly 20% of the blocked IP
 
User avatar
mkx
Forum Guru
Forum Guru
Posts: 11381
Joined: Thu Mar 03, 2016 10:23 pm

Re: Block Ping request

Thu Jul 29, 2021 2:38 pm

Actually the worst country is OTHER. Just can't find it on the Globe. ;-)

Oh, I forgot to include the [sarcasm] [/sarcasm] block ... again.
 
User avatar
Jotne
Forum Guru
Forum Guru
Posts: 3279
Joined: Sat Dec 24, 2016 11:17 am
Location: Magrathean

Re: Block Ping request

Thu Jul 29, 2021 2:40 pm

Haha, very funny :)

Same with this in french, I did not under stand what city this sign will take you to, did not find it on the map.
.
Toutes.jpg
You do not have the required permissions to view the files attached to this post.
 
User avatar
mkx
Forum Guru
Forum Guru
Posts: 11381
Joined: Thu Mar 03, 2016 10:23 pm

Re: Block Ping request

Thu Jul 29, 2021 2:48 pm

If we started to nitpick over your numbers, it would be interesting to see the malicious_ping-per-capita table/ranking ... I guess that would completely change the ranking. Vatican might end up on top (not sure if there's actually any IP address space allocated to that country?).

Seems like French won another war (just like they did with roundabouts) ... I seem to notice more and more traffic signs around Europe, which read something like "other directions" (but in country's official language which makes it as undecipherable as the sign you posted).
 
User avatar
mozerd
Forum Veteran
Forum Veteran
Posts: 871
Joined: Thu Oct 05, 2017 3:39 pm
Location: Canada
Contact:

Re: Block Ping request

Thu Jul 29, 2021 3:10 pm

And I sincerely hope that the intelligence agencies worldwide know this and use other criteria when identifying the attacks. What politicians make out of their reports is another can of worms of course.
The intelligence agencies G7 + rogue know how to pattern match based on AI systems that constantly monitor/scan the terabytes^42 of data they collect on a constant and persistent basis. In the USA/Canada they have 20+ data centers in secret locations where each data center is humongous is size and scope. Once that pattern is identified they follow that stream with unbridled enthusiasm. Believe it or not 😎
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18958
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Block Ping request

Thu Jul 29, 2021 6:18 pm

meanwhile I accept ICMP which allows me to do the troubleshooting I need for such things as wireguard connections and to no detrimental impact on my router performance..........
 
User avatar
Jotne
Forum Guru
Forum Guru
Posts: 3279
Joined: Sat Dec 24, 2016 11:17 am
Location: Magrathean

Re: Block Ping request

Thu Jul 29, 2021 7:20 pm

Off course all IP I do white-list manually or trough port knock can ping my router. This way I can test stuff from remote location.
 
User avatar
rextended
Forum Guru
Forum Guru
Posts: 11967
Joined: Tue Feb 25, 2014 12:49 pm
Location: Italy
Contact:

Re: Block Ping request

Thu Jul 29, 2021 7:50 pm

Not only on France:

Image
 
User avatar
rextended
Forum Guru
Forum Guru
Posts: 11967
Joined: Tue Feb 25, 2014 12:49 pm
Location: Italy
Contact:

Re: Block Ping request

Thu Jul 29, 2021 7:56 pm

I did not know that in Canada they are so sexist that the woman is pictured with shopping bags !!!!!!!!!

And they put, in order of preference, Women, Wi-Fi, Money and Food...

:)))))))



Image
 
User avatar
kiler129
Member
Member
Posts: 352
Joined: Tue Mar 31, 2015 4:32 pm
Location: IL, USA
Contact:

Re: Block Ping request

Thu Jul 29, 2021 8:21 pm

But with all the seriousness... why people block ICMP? It's harmful. Even blocking just ECHO and leaving rest of the ICMP alone is at best annoying. Rate limiting this to a reasonable value - sure, but blocking it flat-out is imho more harmful than helpful.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18958
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Block Ping request

Thu Jul 29, 2021 9:27 pm

Point taken rextended, but it could be a man wearing a dress.............

THis however is clearly "over the top"
rextended.JPG
You do not have the required permissions to view the files attached to this post.
 
User avatar
rextended
Forum Guru
Forum Guru
Posts: 11967
Joined: Tue Feb 25, 2014 12:49 pm
Location: Italy
Contact:

Re: Block Ping request

Thu Jul 29, 2021 10:09 pm

It's not a photomanipulation...
Is TRUE....
 
User avatar
rextended
Forum Guru
Forum Guru
Posts: 11967
Joined: Tue Feb 25, 2014 12:49 pm
Location: Italy
Contact:

Re: Block Ping request

Thu Jul 29, 2021 10:14 pm

But with all the seriousness... why people block ICMP?
It is the same person who tries to limit torrents nowadays or insists on restricting sites on the internet with layer7...

With the bandwidth available these days, compared to the past,
only blocking malformed ICMPs makes sense (ehm... read the page linked to my signature...).
The right way is to block the "malformed" and limit the number of pings, in order not to collaborate with the ICMP Storm Attack...
The counterfeit IP comes as a source and the ECHO response goes to join the DDoS attack ....
Last edited by rextended on Thu Jul 29, 2021 10:31 pm, edited 2 times in total.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18958
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Block Ping request

Thu Jul 29, 2021 10:26 pm

Edit, NM read the whole thread it ended up in the sewer LOL.

Okay, but I am a minimalist.
If my home network should have it then I will add it.
If its strictly hobby fun and not necessary then I dont want to add it.

I did once monkey with ICMP settings and jump rules and it was a disaster.
Last edited by anav on Thu Jul 29, 2021 10:37 pm, edited 2 times in total.
 
kevinds
Long time Member
Long time Member
Posts: 575
Joined: Wed Jan 14, 2015 8:41 am

Re: Block Ping request

Fri Aug 20, 2021 3:07 am

But with all the seriousness... why people block ICMP? It's harmful. Even blocking just ECHO and leaving rest of the ICMP alone is at best annoying. Rate limiting this to a reasonable value - sure, but blocking it flat-out is imho more harmful than helpful.
Microsoft suggested it years ago as best practice.. I think it is still blocked in the default OS's firewall rules..

For example, none of the M$ servers are pingable, but all of Google's are.
 
johnson73
Member Candidate
Member Candidate
Posts: 172
Joined: Wed Feb 05, 2020 10:07 am

Re: Block Ping request

Sat Dec 04, 2021 11:13 pm

Hello,
In order not to create a new topic I want to ask how to properly block ICMP ping? There are many examples that block all icmp. Experts say this is not right. How is it right?

as follows?
/ip firewall filter
add action=accept chain=input comment="Access Normal Ping" in-interface-list=WAN limit=50/5s,2:packet protocol=icmp
add action=drop chain=input comment="Drop excess pings" in-interface-list=WAN protocol=icmp
or as follows?
/ip firewall filter
add chain=input protocol=icmp action=jump jump-target=icmp
add chain=icmp protocol=icmp icmp-options=0:0 action=accept comment="ICMP echo reply"
add chain=icmp protocol=icmp icmp-options=3:0 action=accept comment="ICMP net unreachable"
add chain=icmp protocol=icmp icmp-options=3:1 action=accept comment="ICMP host unreachable"
add chain=icmp protocol=icmp icmp-options=3:4 action=accept comment="ICMP host unreachable fragmentation required"
add chain=icmp protocol=icmp icmp-options=4:0 action=accept comment="ICMP allow source quench"
add chain=icmp protocol=icmp icmp-options=8:0 action=accept comment="ICMP allow echo request"
add chain=icmp protocol=icmp icmp-options=11:0 action=accept comment="ICMP allow time exceed"
add chain=icmp protocol=icmp icmp-options=12:0 action=accept comment="ICMP allow parameter bad"
add chain=icmp action=drop comment="ICMP deny all other types"
or..
/ip firewall filter 
add action=drop chain=input comment="drop echo request" icmp-options=8:0 \ in-interface-list=WAN protocol=icmp
is there a better method?
Thank you!
 
sindy
Forum Guru
Forum Guru
Posts: 10205
Joined: Mon Dec 04, 2017 9:19 pm

Re: Block Ping request

Sat Dec 04, 2021 11:56 pm

is there a better method?
Yes, there is, as suggested above. Allow ICMP to flow freely, except ICMP echo requests if you feel like throttling them to max N per unit of time.

Blocking ICMP completely causes many things to stop working (most notably, path MTU discovery); blocking ping requests completely doesn't prevent other methods of discovery that your device exists, so you may get too little benefit for too much work.
 
kevinds
Long time Member
Long time Member
Posts: 575
Joined: Wed Jan 14, 2015 8:41 am

Re: Block Ping request

Sun Dec 05, 2021 2:00 am

Hello,
In order not to create a new topic I want to ask how to properly block ICMP ping? There are many examples that block all icmp. Experts say this is not right. How is it right?


is there a better method?
Thank you!
Yes there is a better method.. Leave ICMP alone.

Do you have an actual issue you are trying to fix by blocking ICMP?
 
User avatar
Jotne
Forum Guru
Forum Guru
Posts: 3279
Joined: Sat Dec 24, 2016 11:17 am
Location: Magrathean

Re: Block Ping request

Sun Dec 05, 2021 9:22 am

You can add this to block ping from user who tries more than just ping.

If anyone for some reason try to reach any port on my router(s) that are not open, they are blocked to access any thing on my router (ICMP/web ++) for 24 hours. If they are testing out my router, they have nothing here to do.
More info here: viewtopic.php?f=23&t=178496
 
johnson73
Member Candidate
Member Candidate
Posts: 172
Joined: Wed Feb 05, 2020 10:07 am

Re: Block Ping request

Sun Dec 05, 2021 10:16 am

Kevinds,
Yes, there is a ping flood on my device at least twice a week, which puts a lot of strain on the channel. So I wanted to ask which example would be the best.
Is this?
/ip firewall filter
add chain=input protocol=icmp action=jump jump-target=icmp
add chain=icmp protocol=icmp icmp-options=0:0 action=accept comment="ICMP echo reply"
add chain=icmp protocol=icmp icmp-options=3:0 action=accept comment="ICMP net unreachable"
add chain=icmp protocol=icmp icmp-options=3:1 action=accept comment="ICMP host unreachable"
add chain=icmp protocol=icmp icmp-options=3:4 action=accept comment="ICMP host unreachable fragmentation required"
add chain=icmp protocol=icmp icmp-options=4:0 action=accept comment="ICMP allow source quench"
add chain=icmp protocol=icmp icmp-options=8:0 [b][u]action=DROP [/u][/b]comment="ICMP allow echo request"  << =====
add chain=icmp protocol=icmp icmp-options=11:0 action=accept comment="ICMP allow time exceed"
add chain=icmp protocol=icmp icmp-options=12:0 action=accept comment="ICMP allow parameter bad"
add chain=icmp action=drop comment="ICMP deny all other types"

Sindy,
will this option be good?
Last edited by johnson73 on Sun Dec 05, 2021 4:53 pm, edited 1 time in total.
 
sindy
Forum Guru
Forum Guru
Posts: 10205
Joined: Mon Dec 04, 2017 9:19 pm

Re: Block Ping request

Sun Dec 05, 2021 10:29 am

To which channel, the one between the router and the internet or the one between the router and the rest of your own network?

If the one towards internet, blocking the ping requests will only mean you won't respond them, but you cannot prevent them from coming.

So to reduce the load of the router and the upload direction of the uplink channel, the right thing would be to add the ping sources to an address list if they exceed some rate, and to drop anything matching that address list as source in /ip firewall raw, as @Jotne suggests. But this won't lower the load of the channel in download direction. To do that, you'd have to agree with your upstream ISP.
 
johnson73
Member Candidate
Member Candidate
Posts: 172
Joined: Wed Feb 05, 2020 10:07 am

Re: Block Ping request

Sun Dec 05, 2021 10:39 am

between the router and the internet.
Flood packets are coming from the Internet (Wan). OK, I'll try the @Jotne version.
/ip firewall raw
add action=drop chain=prerouting comment="Drop user that has tried ports that are not open and has been added to block list" in-interface=ether1  src-address-list=FW_Block_unkown_port
But those icmp rules i showed but needed?
 
sindy
Forum Guru
Forum Guru
Posts: 10205
Joined: Mon Dec 04, 2017 9:19 pm

Re: Block Ping request

Sun Dec 05, 2021 10:44 am

This rule is the executive part only, and drops any traffic from the source of the annoying ping, which may or may not be what you actually want.

The rate checking part in /ip firewall filter, adding offenders to the list, is also necessary. And you have to change its matching criteria, @Jotne blocks everyone scanning ports, whereas you plan to block ping sources.
 
johnson73
Member Candidate
Member Candidate
Posts: 172
Joined: Wed Feb 05, 2020 10:07 am

Re: Block Ping request

Sun Dec 05, 2021 3:18 pm

Sindy,
Okay, I will apply scan protection. But the question remains what should I do with ICMP rule?? Leave as = accept All? Delete? Block echo request only? What is more correct? Maybe this icmp can block the Raw chain?
I'm sorry I don't understand a bit.
 
sindy
Forum Guru
Forum Guru
Posts: 10205
Joined: Mon Dec 04, 2017 9:19 pm

Re: Block Ping request

Sun Dec 05, 2021 4:10 pm

I don't know how to explain better, but I'll try once more.

First step - choose which kind of traffic you want to cause blocklisting of the source address. If it should be only ping requests, the match condition is protocol=icmp icmp-options=8:0.

Second step - choose whether you want to block it completely (not a good idea, won't repeat reasons) or start blocking it as soon as it exceeds some threshold rate. See the description of dst-limit matcher (don't get confused by the name, it can work as src-limit too) in the firewall rule manual. As the dst-limit matches as long as the packet rate is below the limit, you need to use a chain consisting of two rules to add the sources exceeding the limit to the blocklist, so the /ip firewall filter rules would be augmented with the following:

chain=input protocol=icmp icmp-options=8:0 action=jump jump-target=ping-limiter
chain=ping-limiter action=return dat-limit=5/1,1,src-address/600
chain=ping-limiter action=add-src-to-address-list address-list=ping-blocklist address-list-timeout=1w


If your router is a gateway to a network with public IP addresses, you need to do a similar thing in filter chain forward, except that there, the mode in dst-limit has to be src-and-dst-address.

Third step - decide whether you want to drop any traffic from the source that has sent an annoying amount of ping requests, or just the ping requests themselves, and add a corresponding rule to raw/prerouting:

/ip firewall raw
add src-address-list=ping-blocklist protocol=icmp icmp-options=8:0 action=drop




So
  • all ping requests coming at tolerable rate:
    • will not match the drop rule in raw, so they will get to filter
    • will match the dst-limit rule in filter, so they won't reach the add-src-to-address-list one
  • the first ping exceeding the tolerable rate from that source to that destination:
    • will not match the drop rule in raw, so it will get to filter
    • will not match the dst-limit rule in filter, so it will proceed to the add-src-to-address-list one and match it, so its source address will be added to the blocklist
  • the subsequent ping requests from that source, no matter what the destination is, or even all traffic from that source, will be dropped already by the drop rule in raw, for a week, until the item on the blocklist expires
 
johnson73
Member Candidate
Member Candidate
Posts: 172
Joined: Wed Feb 05, 2020 10:07 am

Re: Block Ping request

Sun Dec 05, 2021 4:50 pm

thank you very much for your reply. Got it!
 
LostUser
just joined
Posts: 1
Joined: Tue Mar 05, 2019 2:16 am

Re: Block Ping request

Wed Mar 23, 2022 5:47 pm

Just for the fun of it. Here are the blocked ping for 1 year!!
Country			count	percent
United States		13456	16.513874
China			8960	10.996159
United Kingdom		8193	10.054858
India			7742	9.501368
Germany			4100	5.031724
Philippines		2754	3.379846
Brazil			2383	2.924536
Russia			2189	2.686450
Norway			2005	2.460636
Pakistan		1905	2.337911
OTHER			27796	34.112637
So I will blame US to be the worst country ;)

If you look at all who has tried any non open port (being blocked by this), US IP stays for nearly 20% of the blocked IP
Regarding this. There are more than just pings going on but that would be an interesting one to track.
I have the Mikrotik admin port blocked and at one time had been logging IP addresses. I don't remember what country stood out as the leader but US was not one of them.
However, I did note that some IP addresses were belonging to security companies. My guess is that security companies do scans as well as bad actors and both are looking for vulnerabilities. One for statistics and the other for bad purposes.

For reference, I am in the US.

I am going to guess, as well, that if you are in China, you are not being scanned by Chinese as much as you are by other countries unless the government is actively involved in controlling internet companies of their own country and forcing certain traffic to be dropped --- which I am sure varies by country and by companies.

https://www.si.umich.edu/about-umsi/new ... ent-access

Who is online

Users browsing this forum: BinaryTB, Bing [Bot], raphaps, rolling, rplant and 83 guests