Speaking as someone who works in information security, yes, dropping ICMP can improve your attack surface. The argument that “if you have any ports open they’ll just find you anyway” is an example of a technically correct but practically wrong observation.
Script kiddies generally aren’t scanning thousands of ports on every IP in whatever subnet they’re targeting. That would take a staggering amount of time spent probing a single /16 (over 65k usable IPs), let alone any significant chunk of the internet. A far more common approach is to ping an IP and then proceed with probing only if the IP responds. This not only saves a monumental amount of time but also reduces the risk of the scanning IP(s) being blacklisted by IDSes.
Blocking ICMP will render that style of scanning useless. It’s been pointed out above that this won’t stop ALL attacks, which is technically correct. So why not let us shut down SOME attacks? Contrary to what’s been suggested above, most users (residential AND enterprise) will not be negatively impacted by blocking ICMP. If the option is presented in the GUI, then those who do have a need can simply turn it back on.
There’s simply no good reason to force ICMP on for everyone, and plenty of good reasons to give us the option to disable it.
There is an option to block ICMP with a firewall rule that any user can create. It is not recommended but it does exist.
I created one (long ago) but I noticed it did cause problems with OpenVPN. So I deleted the rule. I am not sure if there are other issues with an ICMP firewall rule block
Thanks for the insight. I‘m somewhat convinced even though I think it disrupts the underlying control mechanisms for a working net - at least on layer 3 I think. And ping had helped me get started with network related problems. But yes, I‘m probably need to think a bit more about it.
Because of the result ‘unreachable’ for both systems blocking ICMP or non-existent system, a ping has minor information in finding possible targets. So the ping mechanism isn’t really interesting for real attackers.
If I see a new device in my network, I try to examine with nmap. Sometimes the first attempt isn’t successful bcause of a ICMP block. But knowing the IP from other informations ( in this case the DHCP leases ), I can easily do a scan without ping. This gives the informations searched. Blocking ICMP only requested a second scan, which could be avoided by doing the scan without ping in the first attempt.
Real attacks don’t use the brute-force method, I think. So one should concentrate in hiding information, not in hiding identity ( which is the result of ping ).
Can anyone give an example of how to create an ICMP block using the standard Firewall Rules IPFire? It will always be easy to turn it on or off if someone wants to test if it causes problems with some services.
Of course, I mean the RED interface and ping from the outside (Internet).
