[Help Needed] Block outgoing ping

[ubear]

Hello wise people!
I have the following setup:
LAN and 7 VLAN's on igb0
Primary WAN on igb1
Fallback WAN2 on igb2

Q1: I want to block ping from all LAN and VLAN's to any external addresses (WAN or WAN2) while preserving ping within my network.
My attempt for WAN: created an OUT rule on WAN that (PASS or BLOCK) IPV4 ICMP packets. both modes blocked the outgoing ping, WHY?

Q2: I want to enable outgoing ping from ONE particular host for speedtest. Adding such a rule (pass, from 192.168.60.10 to any, IPV4, ICMP) below or above the  previously mentioned rule has no effect. Why?

Why block ICMP:
https://socfortress.medium.com/data-exfiltration-using-icmp-and-how-to-detect-it-69a799cca234
https://medium.com/@sam.rothlisberger/icmp-echo-request-data-exfiltration-f41f59fcf87a
https://github.com/martinoj2009/ICMPExfil

Why block on WAN-OUT:
Because I heve 8 internal networks. one rule to block all ICMP plus 7 rules to allow ICMP to other internal LAN's is 64 rules to write.

Many thanks
Uri

[doktornotor]

Dunno, I do not like breaking basic network diagnostics tools for people, such as ping, so don't have any such issue.

Just on a generic note, generally you want to block packets where they first hit the firewall (i.e., using the firewall rules that apply to the (VLANs). No point in letting them leave (V)LAN just to drop them on WAN later on.

For further assistance from someone else, I'd say attaching a screenshot of your firewall rules and posting the logs would help.

[InvalidHandle]

Hi ubear/Uri,

(edited) 
Sorry I didn't see your picture, I'll leave the text below just as a reference to others searching.
If you want a single client to ping outbound, put an allow rule above your block rule and apply on match.
Interface: (LAN that your host is on)
Source: Single Host or Alias
Enter your single host.
Save
Apply
Ensure the single host Allow rule is above your blanket ICMP Block rule in the floating firewall ruleset.

****
Example Rule:

You can block IMCP for the example you posted by clicking Firewall > Rules > Click Floating > Click + to add a rule

Specify Action: Blocked
Interfaces: Select desired (These are the interfaces that the rule will apply)
Direction: Select desired: in, out, any
TCP/IP: IPv4+IPv6
Protocol: ICMP
Log Packets Handled: Check if logging is desired
Enter a Description
Click Save at the bottom
Click Apply at the top

*****

In the above example if WAN is the interface, direction any, all ICMP to/from WAN will be blocked.  If you select direction OUT, all outbound ICMP are blocked from any of the interfaces that you select.

If you have any monitor IPs that are in the WAN zone for High Availability you'll need an exception for the router gateway IP or it will always show down and your gateway switching won't work.  Also, if outbound ICMP is blocked, without any client exceptions, you won't be able to ping any external address.

Best Regards

[meyergru]

In practice, this makes little sense, because, unless you explicitely disallow any traffic, you will not be safe against exfiltration anyway:

Consider any other type of traffic being allowed, like HTTPS - since you cannot break up that encrypted connection, you know jack about what is in it. And this is even true for outbound connections. Of course, any IP connection can be used in any direction regardless of the direction it was initially started in.

The only reason why this is psychologically threathening is that because ICMP ping is usually not a real connection, it looks somewhat sneaky.

[InvalidHandle]

There are attack techniques that use ICMP and he most certainly reduces attack surface by blocking it to/from WAN.  Exclusions can be added if desired.

[meyergru]

I am all for blocking inbound ICMP, but, as I said: By using your rationale you could fordbid any kind of outbound traffic, because "there are attack techniques" that use that kind.

Once attackers are able to craft ICMP packets for exfiltration from inside your network, it is already too late, because they obviously have infiltrated your network already.

Which means: You can stop exfiltration only by blocking any outbound traffic, because any kind can be used to transport data. On the other hand, this obviously also refers to inbound traffic, because any connection can be used both ways.

A firewall should keep attackers outside in the first place. Once they are in, you cannot do much with a firewall, unless you are willing to sacrifice basic functionality or create the equivalent of a "sneakernet" (i.e. have no internet access at all).

Basically, you need endpoint security to evade exfiltration or in the case of IoT or other untrusted devices, confine them to a VLAN where they cannot exfiltrate anything worthwhile.

Everyone is free to apply any measure to reduce attack surface at any level. I just wanted to point out that the leverage in this case is fairly limited, so your efforts may be put to better use.