[Help Needed] Block outgoing ping

Started by ubear, August 18, 2024, 03:33:34 PM

Previous topic - Next topic
Print
Go Down Pages1
User actions
August 18, 2024, 03:33:34 PM Last Edit: August 20, 2024, 11:57:51 AM by ubear
Hello wise people!
I have the following setup:
LAN and 7 VLAN's on igb0
Primary WAN on igb1
Fallback WAN2 on igb2

Q1: I want to block ping from all LAN and VLAN's to any external addresses (WAN or WAN2) while preserving ping within my network.
My attempt for WAN: created an OUT rule on WAN that (PASS or BLOCK) IPV4 ICMP packets. both modes blocked the outgoing ping, WHY?

Q2: I want to enable outgoing ping from ONE particular host for speedtest. Adding such a rule (pass, from 192.168.60.10 to any, IPV4, ICMP) below or above the  previously mentioned rule has no effect. Why?

Why block ICMP:
https://socfortress.medium.com/data-exfiltration-using-icmp-and-how-to-detect-it-69a799cca234
https://medium.com/@sam.rothlisberger/icmp-echo-request-data-exfiltration-f41f59fcf87a
https://github.com/martinoj2009/ICMPExfil

Why block on WAN-OUT:
Because I heve 8 internal networks. one rule to block all ICMP plus 7 rules to allow ICMP to other internal LAN's is 64 rules to write.

Many thanks
Uri
August 18, 2024, 04:00:45 PM #1
Dunno, I do not like breaking basic network diagnostics tools for people, such as ping, so don't have any such issue.

Just on a generic note, generally you want to block packets where they first hit the firewall (i.e., using the firewall rules that apply to the (VLANs). No point in letting them leave (V)LAN just to drop them on WAN later on.

For further assistance from someone else, I'd say attaching a screenshot of your firewall rules and posting the logs would help.
Today at 04:10:14 AM #2 Last Edit: Today at 04:29:12 AM by InvalidHandle
Hi ubear/Uri,

(edited) 
Sorry I didn't see your picture, I'll leave the text below just as a reference to others searching.
If you want a single client to ping outbound, put an allow rule above your block rule and apply on match.
Interface: (LAN that your host is on)
Source: Single Host or Alias
Enter your single host.
Save
Apply
Ensure the single host Allow rule is above your blanket ICMP Block rule in the floating firewall ruleset.

****
Example Rule:

You can block IMCP for the example you posted by clicking Firewall > Rules > Click Floating > Click + to add a rule

Specify Action: Blocked
Interfaces: Select desired (These are the interfaces that the rule will apply)
Direction: Select desired: in, out, any
TCP/IP: IPv4+IPv6
Protocol: ICMP
Log Packets Handled: Check if logging is desired
Enter a Description
Click Save at the bottom
Click Apply at the top

*****

In the above example if WAN is the interface, direction any, all ICMP to/from WAN will be blocked.  If you select direction OUT, all outbound ICMP are blocked from any of the interfaces that you select.

If you have any monitor IPs that are in the WAN zone for High Availability you'll need an exception for the router gateway IP or it will always show down and your gateway switching won't work.  Also, if outbound ICMP is blocked, without any client exceptions, you won't be able to ping any external address.

Best Regards

Print
Go Up Pages1
User actions