Submit Hint Search The Forums LinksStatsPollsHeadlinesRSS
14,000 hints and counting!

Block incoming pings while allowing outgoing pings Internet
I use the shareware product Brickhouse to manage my ipfw host firewall rules on my mac. Here is how to permit your Mac to ping outbound, but also block incoming pings.

Create two custom services:
  • Action Deny, service Custom Service Protocol icmp, source The internet, Destination my computer. Click Advanced Options and in box icmp Types, put 8, specifying icmp requests.
  • Directly below above rule, create a second rule. Action Allow, Custom Service, protocol icmp, source The Internet, Destination My Computer, and under Advanced Options, put ICMP types 0. This permits the echo responses back to your computer from pings you send outbound.
So some of you might say "Well ipfw is stateful packet inspection, why do I need to do the second rule?" Because ipfw dosn't keep state on icmp.
    •    
  • Currently 2.33 / 5
  • 1
  • 2
  • 3
  • 4
  • 5
  (3 votes cast)
 
[14,731 views]  

Block incoming pings while allowing outgoing pings | 9 comments | Create New Account
Click here to return to the 'Block incoming pings while allowing outgoing pings' hint
The following comments are owned by whoever posted them. This site is not responsible for what they say.
Block incoming pings while allowing outgoing pings
Authored by: Anonymous on Aug 26, '03 10:41:38AM
So some of you might say "Well ipfw is stateful packet inspection, why do I need to do the second rule?" Because ipfw dosn't keep state on icmp.

Yeah, you know, as I ate my bagel on the way into work on the subway, I was just saying to myself, "Well, ipfw is stateful packet inspection ... why would I need that second rule?"

Then I went, "Duh, of course, you idiot! The answer is simple! Ipfw doesn't keep state on icmp!"

I'm speaking a bit tongue in cheek. :-)

Does anyone mind translating the text of the above hint into a rudimentary form of English? ;-)

[ Reply to This | # ]

Block incoming pings while allowing outgoing pings
Authored by: molero on Aug 27, '03 03:49:55AM

I'm no expert on this, but one of the rules that Brickhouse writes to the ipfw config file and which you cannot change and always comes before any custom rules says:


#################################################
## Allow All ICMP Packets
#################################################
add 2004 allow icmp from any to any via en0

Wouldn't this allow pinging anyhow? Rules are applied top to bottom.



[ Reply to This | # ]
Requested English...
Authored by: macubergeek on Aug 27, '03 10:40:30AM

When you surf the internet, your computer talks to the other computer....
Your computer says:
1. Hi! can I talk to you?
the other computer says:
2. Yeh sure I'm not too busy
Your computer says:
3. Ok I got something important to say
Then your computer sends request for a web page to the other computer and the other computer sends you the web page.

Above was the three-way-handshake of TCP/IP
A firewall keeps information called "state" which is simply...
if I permit #1. above, I'll also let #2 and #3 as part of the pre-existing conversation. The firewall keeps a table of all the ongoing conversations called a State table.

What I was saying was ipfw dosn't do this with icmp.



[ Reply to This | # ]
Why block incoming pings?
Authored by: Anonymous on Aug 26, '03 11:52:53AM
ICMP is used by many networking systems and applications. It exists for a reason. Blocking it defeats its whole purpose and doesn't add any security to your system. The traffic should be allowed unless the system has a particular reason for turning them off. Blocking protocols without understanding why and how things work on a network is not secure at all. It just breaks things.

---
--
Gypsy

[ Reply to This | # ]

Why block incoming pings?
Authored by: Alrescha on Aug 26, '03 07:05:40PM

Ummn... I prefer to think of it in this way:

The Internet is not your local in-house LAN. Every bored script-kiddie will be running programs to attempt to break into every computer in sight.

No traffic should be allowed unless the system has a particular reason for turning it on. Allowing protocols without understanding why and how things work on a network is not secure at all.

Turning off ICMP will not harm anything. The chances of getting a real, valid, and useful ICMP message (a redirect, perhaps) are practically nil. The chances that a script tries to ping you before launching a full-fledged attack are much greater.

A.



[ Reply to This | # ]
NONSENSE
Authored by: macubergeek on Aug 27, '03 09:46:29AM

The internet dosn't need to know my machine is reachable.
Secondly after battling Blaster worm for two weeks now, droppig icmp is a good idea. At least you can save your firewall from being hammered.



[ Reply to This | # ]
Block incoming pings while allowing outgoing pings
Authored by: molero on Aug 27, '03 05:51:43AM

I'm no expert on this, but one of the rules that Brickhouse writes to the ipfw config file and which you cannot change and always comes before any custom rules says:


#################################################
## Allow All ICMP Packets
#################################################
add 2004 allow icmp from any to any via en0

Wouldn't this allow pinging anyhow? Rules are applied top to bottom.



[ Reply to This | # ]
Block incoming pings while allowing outgoing pings
Authored by: molero on Aug 27, '03 10:21:02AM

Just tried it out - and yes, the default BrickHouse rule indeed allows for pinging your machine, no matter what rules you might add later.
To get it right, you need to remove this line from the ipfw config file:

add 2004 allow icmp from any to any via en0



[ Reply to This | # ]
Block incoming pings while allowing outgoing pings
Authored by: DirrtyDawg on Sep 04, '03 06:49:41PM

The only ICMP types that should be allowed from the Internet are 0 3 11 which are echo reply, destination unreachable and time exceeded. I don't see any reason for anyone pinging me since I don't provide any services to the world. Allowing type 8 which is echo request CAN be a security hole, but needn't. I'm a Mac newbie so forgive me about my stupidity. I come from the Linux world and my stateful firewall can also limit access to a certain number/minute or hour or what ever you prefer. This would minimize the problem of getting pod or something. I believe ipfw is a good packet level firewall which can also do such things.

To explain the stateful thing: tcp packets contain a state which indicates what the data wants to do. For example if it is related to another packet sent earlier then it would have a related state. Since icmp is a different layer 4 protocol it doesn't have states in it. If you send a echo request you get a echo reply which doesn't have any flags like syn or ack. ICMP is actually just for testing connections so it doesn't need all the stuff.

If someone wants to get a small introduction into firewalling theory just write an email.



[ Reply to This | # ]