How can I block ping with the APF firewall?

You need to disable your server to respond to ICMP requests. Although "ping" uses TCP/IP Port, the Protocol is ICMP and NOT TCP/UDP, which is a network "control" protocol.

You have several options:

vi /etc/sysctl.conf
and add this directive:

Code:

net.ipv4.icmp_echo_ignore_all = 1

Save, close and restart iptables.

Now, you won't be able to ping external interfaces.

If you wish to block ping echo reply or requests, you can use this rule with IPtables:

iptables -A INPUT -p icmp --icmp-type 8 -s SourceIPAddress -j DROP

OR

iptables -A INPUT -p icmp --icmp-type echo-request -j DROP to block incomming pings

OR

iptables -A OUTPUT -p icmp -o eth0 -j DROP


echo 1>/proc/sys/net/ipv4/icmp_echo_ignore_all

which will drop all echo reply. Overall, you need to be very careful as ping is needed by different services/networks. Use at your own risk.

 

Blocking ping is probably a Bad Thing (tm); why did you want to do that?

 

You actually believe they won't find if it's not pingable? lol. Good idea, but in the meantime you'll frustrate people trying to troubleshoot as well as break many small things.

Instead, I'd install CSF and mod_security and set them up, change your ssh port, and then go get a server hardening package.

 

I don't think disabling ping on the server is a bad idea. I am not sure of any networking tool that uses only ping to identify the server being up/down. At the current point most of them uses telnet I suppose.

Yes, there is an disadvantage of clients complaining their site being down just because they cannot ping it.:D