Hello friends. How do you block icmp tunnels, which is the most appropriate and correct way?
Thanks in advance !
Тhanks bro , but this need for ping ... For now i reduce one connection per src ip with small packet - to 86 Bytes !Well, I think ICMP tunnels mainly use the Echo (type / Echo Reply (type 0) so I guess you simply need to block that. There is not much else you can do.
I don't think you want to go building L7 firewall rules which look into the packets ... It will kill performance anyway.
Block all ICMP altogether is also not completely smart as ICMP is a rather important protocol...
/ip firewall filter add action=drop chain=forward icmp-options=8:0 limit=3,10:packet packet-size=93-65535 protocol=icmp
In the previous post this is exactly what i say, but in this way:You could try something like that. This will drop icmp ping request pakets where the ip packet is bigger then 92 bytes and sets a rate limit with 3 pakets per second with a 10 packets burst.
Code: Select all/ip firewall filter add action=drop chain=forward icmp-options=8:0 limit=3,10:packet packet-size=93-65535 protocol=icmp