Do you disable ping or ICMP quickly and efficiently? Well, check this list tutorial about how to block ping on your Windows and Linux Servers.
Many network and system administrators think that the ICMP protocol is a security risk for the system, so they always block it in the firewall itself. If you have a router, you can block any ping that comes from the WAN through its firewall, and if you have a server directly connected to the Internet, you can also block it easily.
In terms of security, it is essential to block certain types of ICMP, but not all of them, since this protocol performs a fundamental function in data networks. Some kinds of ICMP allow to discover possible problems, and others are essential for the system to work correctly, especially if you are working with IPv6 where the use of ICMPv6 is continuous.
Ping (Echo Request and Echo Reply)
This is the type of ICMP that you use most, the favorite ping tool allows you to know if you can reach a remote host without problems, as long as said remote host allows answering the different pings.
Can you disable ping trough firewall? If for example, you have a server where you host your web server, and you have opened the standard port 80, it will not serve you to disable the ping since through the web service you already know that you “exist.” Conclusion:
If you don’t have any services running, or you have them in ports that aren’t predefined, then it is advisable to block the ping, in this way a remote user who tries to ping against you will not receive an answer and will think that there is no online device at that time and with that public IP.
Block Ping on Windows
You can easily block ping on Windows using the Command Prompt. You first need to open the CMD on Windows.
You can search the word CMD on Windows 10 and right-click on Command Prompt and select Run as Administrator.
Once in the command prompt, it will be necessary to create two exceptions, one for IPv4 addressing and another for IPv6 addressing.
For the IPv4 exception you need to run the following command:
netsh advFirewall Firewall add rule name="Rule PING IPv4" protocol=icmpv4:8,any dir=in action=allow
And to create the IPv6 exception you need to run the following command:
netsh advFirewall Firewall add rule name="Rule PING IPv6" protocol=icmpv6:8,any dir=in action=allow
In this way, the changes will be applied automatically. Once the changes are made, check the connectivity using the PING command from another computer.
If at any time we wish to disable such exceptions, it is enough to execute the following commands:
For IPv4 addresses
netsh advFirewall Firewall add rule name="Regla PING IPv4" protocol=icmpv4:8,any dir=in action=block
For IPv6 addresses
netsh advFirewall Firewall add rule name="Regla PING IPv6" protocol=icmpv6:8,any dir=in action=block
It is important to clarify that the name of the rule can be assigned according to your taste for better guidance and administration.
Block Ping on Linux
If you disable the ping on the WAN, does that mean you can’t ping other hosts either? Yes, you can ping, as long as you filter in the firewall correctly the ICMP protocol, for example, if your firewall is iptables you can do the following:
iptables -A INPUT -p icmp --icmp-type echo-request -j DROP
This rule for IPv4 blocks any incoming “ping” in the firewall so that you will go unnoticed, but you can ping without problems (as long as you don’t have another DROP rule in the firewalls or DROP policy without any specific rule of ACCEPT).
What would be advisable is to block the ping in the WAN, but not in the LAN, because if you block it in the LAN, you will not be able to do the typical “ping 192.168.1.1” to your router. Finally, you must bear in mind that allowing ICMP consumes resources of the devices, so it would be interesting to limit the number of ICMP that you can receive in, for example, one minute, in this way the rest of ICMP will be discarded.
Another ICMP types
Other types of essential ICMP messages are, for example, “Fragmentation Required” for IPv4 and also “Packet Too Big” for IPv6. These two are fundamental for communication to work correctly, since the ICMP protocol is responsible for warning of possible failures at the MTU and TCP MSS level, and warns that the values are adjusted correctly. If we disable all ICMP, we may have communication problems with the Internet or other computers in the network.
The favorite traceroute tool also uses the ICMP protocol to see the jumps that a packet gives between different routers if you block the ICMP of Time Exceed type any traceroute will to suffer the kind that appears when you don’t reach the different hosts.
If you have a server, you can block them so that they don’t reach you, but if you have a router and you are the administrator of a small network or ISP, you might be interested in enabling it to discover possible failures in the routes.
For IPv6, as you all know, NDP (Neighbor Discovery Protocol) and SLAAC are used, and these two protocols use RS, RA, NS and NA messages that use the ICMPv6 protocol. If you block the entire protocol, you will have severe problems in the network with IPv6, and it is advisable to enable them for the local network, although it is advisable to block them for the WAN.
I recommend you to access the web Should I block ICMP? where you will find more specific explanations on why it is not recommended to block all ICMP.
Wrapping Up: How to Block Ping
So far you learn why you may need to block ping on your server and how to do it easily with the firewall.
What do you think about this tutorial? Did it help you? Let me know in the comments section.