The ufw (uncomplicated firewall) command line app does not have any option for disabling incoming ICMP Internet protocol requests. ICMP is used mainly by ping to discover IP addresses of servers on the internet or LAN. For security, I'd like to hide my server from ping requests. How should I do that on Ubuntu (preferably using the built-in firewall)?
Add a comment
|
1 Answer
These sed commands will block all ICMP requests (including ping):
sudo sed -i -E 's/^\s*-A\ ufw-before-input\ -p\ icmp\ --icmp-type.*ACCEPT\s*/#\ \0/g' /etc/ufw/before.rules
sudo sed -i -E 's/^\s*-A\ ufw-before-forward\ -p\ icmp\ --icmp-type.*ACCEPT\s*/#\ \0/g' /etc/ufw/before.rules
Explanation
By default, ufw blocks all ICMP requests except pings. So you need to disable these ping exceptions (ACCEPTs) in /etc/ufw/before.rules:
# ok icmp codes for INPUT
-A ufw-before-input -p icmp --icmp-type destination-unreachable -j ACCEPT
-A ufw-before-input -p icmp --icmp-type time-exceeded -j ACCEPT
-A ufw-before-input -p icmp --icmp-type parameter-problem -j ACCEPT
-A ufw-before-input -p icmp --icmp-type echo-request -j ACCEPT
# ok icmp code for FORWARD
-A ufw-before-forward -p icmp --icmp-type destination-unreachable -j ACCEPT
-A ufw-before-forward -p icmp --icmp-type time-exceeded -j ACCEPT
-A ufw-before-forward -p icmp --icmp-type parameter-problem -j AfCCEPT
-A ufw-before-forward -p icmp --icmp-type echo-request -j ACCEPT