How can I block ping with the APF firewall?

AndyReed

Well-Known Member
PartnerNOC
May 29, 2004
2,217
4
193
Minneapolis, MN
How can I block ping with the APF firewall?
You need to disable your server to respond to ICMP requests. Although "ping" uses TCP/IP Port, the Protocol is ICMP and NOT TCP/UDP, which is a network "control" protocol.

You have several options:

vi /etc/sysctl.conf
and add this directive:

Code:
net.ipv4.icmp_echo_ignore_all = 1
Save, close and restart iptables.

Now, you won't be able to ping external interfaces.

If you wish to block ping echo reply or requests, you can use this rule with IPtables:

iptables -A INPUT -p icmp --icmp-type 8 -s SourceIPAddress -j DROP

OR

iptables -A INPUT -p icmp --icmp-type echo-request -j DROP to block incomming pings

OR

iptables -A OUTPUT -p icmp -o eth0 -j DROP


echo 1>/proc/sys/net/ipv4/icmp_echo_ignore_all

which will drop all echo reply. Overall, you need to be very careful as ping is needed by different services/networks. Use at your own risk.
 

brianoz

Well-Known Member
Mar 13, 2004
1,146
7
168
Melbourne, Australia
cPanel Access Level
Root Administrator
You actually believe they won't find if it's not pingable? :rolleyes: lol. Good idea, but in the meantime you'll frustrate people trying to troubleshoot as well as break many small things.

Instead, I'd install CSF and mod_security and set them up, change your ssh port, and then go get a server hardening package.
 

Murtaza_t

Well-Known Member
Jan 24, 2005
474
0
166
Earth
cPanel Access Level
Website Owner
I don't think disabling ping on the server is a bad idea. I am not sure of any networking tool that uses only ping to identify the server being up/down. At the current point most of them uses telnet I suppose.

Yes, there is an disadvantage of clients complaining their site being down just because they cannot ping it.:D
 
Last edited: