Disable incoming only icmp ping requests

[woodson2]

I'm guessing this is done via sysctl..However when I grep for icmp I get the follwing output for IPV4 , none of which looks like the obvious winner...Can someone tell me how to do this without running a firewall?

net.inet.icmp.maskrepl: 0
net.inet.icmp.icmplim: 200
net.inet.icmp.bmcastecho: 0
net.inet.icmp.quotelen: 8
net.inet.icmp.reply_from_interface: 0
net.inet.icmp.reply_src: 
net.inet.icmp.icmplim_output: 1
net.inet.icmp.log_redirect: 0
net.inet.icmp.drop_redirect: 0
net.inet.icmp.maskfake: 0
net.inet.tcp.icmp_may_rst: 1

 

[lyuts]

I'm using ipfw and one of its rules looks like this:

# Allow out ping
/sbin/ipfw -q add allow log icmp from any to any out via re0 setup keep-state
# Deny in ping
/sbin/ipfw -q add deny log icmp from any to $me any in via re0 setup keep-state

 

[vivek]

Use firewall to block. A firewall must work in block only mode. For e.g. with pf:

icmp_types = "{ echoreq, unreach }"
# ...
block all
# ..
# If you want icmp ping uncomment the following 
# pass inet proto icmp all icmp-type $icmp_types keep state

See pf.conf man page for more details.

 

[woodson2]

Thank you both for your answers...So I take it this is a no go without running a firewall?

 

[anomie]

So I take it this is a no go without running a firewall?

I don't see an obvious way in the icmp(4) manpages. However, you could do a few things without a packet filtering firewall:

• net.inet.icmp.icmplim = 1 (limit to 1 echo reply/second)
• net.inet.icmp.bmcastecho = 1 (do not reply to broadcast icmp requests)

IMO, disabling icmp echo requests is not a particularly worthwhile endeavor. I would be more concerned with discouraging unwanted tcp/udp connection requests, as outlined in the blackhole(4) manpages.