Please whitelist cPanel in your adblocker so that you’re able to see our version release promotions, thanks!

The Community Forums

Interact with an entire community of cPanel & WHM users!

How can I block ping with the APF firewall?

Discussion in 'General Discussion' started by BianchiDude, Dec 13, 2007.

  1. BianchiDude

    BianchiDude Well-Known Member
    PartnerNOC

    Joined:
    Jul 2, 2005
    Messages:
    619
    Likes Received:
    0
    Trophy Points:
    166
    How can I block ping with the APF firewall?
     
  2. AndyReed

    AndyReed Well-Known Member
    PartnerNOC

    Joined:
    May 29, 2004
    Messages:
    2,222
    Likes Received:
    4
    Trophy Points:
    193
    Location:
    Minneapolis, MN
    You need to disable your server to respond to ICMP requests. Although "ping" uses TCP/IP Port, the Protocol is ICMP and NOT TCP/UDP, which is a network "control" protocol.

    You have several options:

    vi /etc/sysctl.conf
    and add this directive:

    Code:
    net.ipv4.icmp_echo_ignore_all = 1
    Save, close and restart iptables.

    Now, you won't be able to ping external interfaces.

    If you wish to block ping echo reply or requests, you can use this rule with IPtables:

    iptables -A INPUT -p icmp --icmp-type 8 -s SourceIPAddress -j DROP

    OR

    iptables -A INPUT -p icmp --icmp-type echo-request -j DROP to block incomming pings

    OR

    iptables -A OUTPUT -p icmp -o eth0 -j DROP


    echo 1>/proc/sys/net/ipv4/icmp_echo_ignore_all

    which will drop all echo reply. Overall, you need to be very careful as ping is needed by different services/networks. Use at your own risk.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  3. Infopro

    Infopro cPanel Sr. Product Evangelist
    Staff Member

    Joined:
    May 20, 2003
    Messages:
    16,160
    Likes Received:
    370
    Trophy Points:
    583
    Location:
    Pennsylvania
    cPanel Access Level:
    Root Administrator
    Twitter:
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  4. brianoz

    brianoz Well-Known Member

    Joined:
    Mar 13, 2004
    Messages:
    1,146
    Likes Received:
    6
    Trophy Points:
    168
    Location:
    Melbourne, Australia
    cPanel Access Level:
    Root Administrator
    Blocking ping is probably a Bad Thing (tm); why did you want to do that?
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  5. BianchiDude

    BianchiDude Well-Known Member
    PartnerNOC

    Joined:
    Jul 2, 2005
    Messages:
    619
    Likes Received:
    0
    Trophy Points:
    166
    Security, you cant hack a server that you cant find, LOL
     
  6. brianoz

    brianoz Well-Known Member

    Joined:
    Mar 13, 2004
    Messages:
    1,146
    Likes Received:
    6
    Trophy Points:
    168
    Location:
    Melbourne, Australia
    cPanel Access Level:
    Root Administrator
    You actually believe they won't find if it's not pingable? :rolleyes: lol. Good idea, but in the meantime you'll frustrate people trying to troubleshoot as well as break many small things.

    Instead, I'd install CSF and mod_security and set them up, change your ssh port, and then go get a server hardening package.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  7. Murtaza_t

    Murtaza_t Well-Known Member

    Joined:
    Jan 24, 2005
    Messages:
    476
    Likes Received:
    0
    Trophy Points:
    166
    Location:
    Earth
    cPanel Access Level:
    Website Owner
    I don't think disabling ping on the server is a bad idea. I am not sure of any networking tool that uses only ping to identify the server being up/down. At the current point most of them uses telnet I suppose.

    Yes, there is an disadvantage of clients complaining their site being down just because they cannot ping it.:D
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
    #7 Murtaza_t, Dec 17, 2007
    Last edited: Dec 19, 2007
Loading...

Share This Page

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice