Community discussions

MikroTik App
 
barara
just joined
Topic Author
Posts: 11
Joined: Tue Jan 12, 2016 9:41 am

ICMP block WAN and allow LAN

Wed Sep 07, 2022 5:10 pm

I am using mikrotik rb5009.
I have a question about icmp and firewall.
As shown in the figure below, I want to block icmp from outside to wan ip(port) and allow icmp from lan to wan ip.
Is there any way?
Any help would be appreciated.
icmp.png
You do not have the required permissions to view the files attached to this post.
 
User avatar
mkx
Forum Guru
Forum Guru
Posts: 11439
Joined: Thu Mar 03, 2016 10:23 pm

Re: ICMP block WAN and allow LAN  [SOLVED]

Wed Sep 07, 2022 6:47 pm

In firewall ... when constructing rules, you can either refer to in-interface or in-interface-list ... or to src-address or src-address-list.

My opinion: blocking ICMP is largely overrated. Indeed it does slightly enlarge your footprint (i.e. potential attacker can easier determine if certain IP address is "alive" or not), but blocking ICMP itself doesn't improve security of your network. When it comes to IPv6, blocking ICMP (if not very precise about which types and codes to block) can even break networking. So it's better to let ICMP work and take care about security by other means.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19106
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: ICMP block WAN and allow LAN

Wed Sep 07, 2022 9:49 pm

There is no good reason to block ICMP and there are good reasons to allow ICMP.
 
User avatar
mkx
Forum Guru
Forum Guru
Posts: 11439
Joined: Thu Mar 03, 2016 10:23 pm

Re: ICMP block WAN and allow LAN

Wed Sep 07, 2022 10:37 pm

There is no good reason to block ICMP

IMO too strongly worded. If we started discussion about it (but I'm not going to participate), I could explain a few (IMO good) reasons to block some ICMP types and/or codes. But as you say, life is possible without blocking any ICMP and life sucks if one blocks too many ICMP.

Who is online

Users browsing this forum: Ahrefs [Bot], Amazon [Bot], Neon278, zendra and 82 guests