Why Is My red0 Interface Pingable from the World?

I have disabled ping per the other thread linked here, verified it is working at ShieldsUp! and will monitor IPS and IP Address Blocklist logs. I’ll report back after a few days.

2 Likes

I did a test with ShieldsUp againt my IPFire red IP, with the link above. I got this result :slightly_smiling_face:

FAILED TruStealth Analysis FAILED

Ping Reply: RECEIVED (FAILED) — Your system REPLIED to our Ping (ICMP Echo) requests, making it visible on the Internet. Most personal firewalls can be configured to block, drop, and ignore such ping requests in order to better hide systems from hackers. This is highly recommended since “Ping” is among the oldest and most common methods used to locate systems prior to further exploitation.

Even FritzBoxes have the “Discard Ping To WAN”-option, so maybe it should be a WUI-option in IPFire? Just an idea.

On the other hand, as some of the dev’s already mentioned, it’s not a “good” or “clean” way of configuring your firewall because it leads to way more trouble when there’s a member always requesting packets but feigning dead when asked something. You might not notice this as an end-user but you see it when reviewing network-logs.

Anyway, if you want a REALLY secure configuration you need to change the iptables-rules in IPFire by hand because the basic-configuration is slightly more towards “good working”-condition than “absolutely anonymous”.

Greetings

Alex

3 Likes

I disabled ICMP in the kernel and neither red nor green responds to ICMP, which is fine with me. I use tcping or hping3 instead. Yes, hackers can do the same to find open ports on the outside, but the fact is that most don’t… Disabling ping cuts down on the number of probes and scans a lot.

So far I am not seeing any obvious difference in the amount of firewall hits after disabling ping. I’m going to monitor for a few more days to see if it takes time for the hits to start reducing. Perhaps it may take a month of being silent for the hits to start going down.

I think a brand new public IP would be more quiet than an IP that’s been recycled a million times via dynamic updates. The bad guys probably have my public IP permanently set on attack mode because my ISP has passed it around for months if not years prior to it getting assigned to my home.

A new IP may not change anything.
You may get another public IP from the attack list.

2 Likes

Exactly. That’s why I said “brand new public IP” (meaning one that’s never been used) would be more quiet.

As IPv6 was invented because of shortage of IPv4 addresses, I don’t think there are free, unused, ‘brand new’ IPs left. :wink:

Blocking ping is useless for hiding purposes because the router before an IP will send a unreachable message if a IP is really offline.

So if you not get an answer to ping and also no icmp unreachable message from the router before the address exists and is reachable. (and a good hacker knows this)

4 Likes

The purpose of disabling ICMP is not to make the device invisible. It’s because most of the time hackers are looking for low-hanging fruit. Scanning tools like nmap have the option to only scan responsive hosts, and many intruders may leave that option enabled because the alternative takes a lot more time when they are scanning a large chunk of IP space. Organizations that decline to respond to ICMP are signaling that they may be somewhat more vigilant than average, and therefore not as likely to be low-hanging fruit. It’s like hanging out a sign that says, “We’re paying attention.” Of course, an argument can be made that by doing so they also signal that they have something worth protecting, so I guess you have to calculate the trade-offs.

2 Likes

If there is an IPv4 address that isn’t being used in the world I have never heard of it. Trying to hide is that: trying. It doesn’t mean you are hidden at all.

If you are connected to the internet you might as well have some fun trolling the trolls. Like how I use IP fire to rate limit telnet connections to one a minute and then when it finally gets a packet that isn’t rate limited it forwards it to a Raspberry Pi that’s only job is to reject telnet connects.

1 Like