Failing GRC stealth test

I have the following in my /etc/config/firewall:

config rule
	option name 'Allow-Ping'
	option src 'wan'
	option proto 'icmp'
	option family 'ipv4'
	list icmp_type 'echo-request'
	option target 'DROP'

but I still fail the stealth test on where the report says that "system REPLIED to our Ping (ICMP Echo) requests".

I also tried adding this to the /etc/firewall.user:

iptables -A INPUT -p icmp --icmp-type echo-request -j DROP

Didn't help. Still the same error on

What am I missing?

To follow the "stealth" philosophy (which is dubious, but something the GRC guy fully believes in) change the wan default input policy from REJECT to DROP and remove the allow-ping rule entirely.

If your ISP is using CG-NAT they probably answer ping requests in their edge router and they are never reaching you in any case.


Thanks. Without changing anything I have now repeated the test, several times, also after restarting the firewall. The ICMP failure is now gone but now the ports 135, 139 and 445 show as closed instead of stealthed. At the time of my original post it was the other way around, all ports stealth and ICMP failing.

Then I did the changes as you suggested. Restarted the firewall and retested. All tests returned the identical result: ICMP failure gone but ports 135, 139 and 445 closed instead of stealthed. Then I returned the firewall to its original state and restarted it.

While writing this answer, I re-run the test. This time everything shows as stealth.

Your remark about the ISP is most probably the explanation. They are using CG-NAT and GRC in fact tests their edge router. The IP address shown in GRC test is different from my public address as reported by my router and by

1 Like

I hope this doesn't come across as mean but that website feels like a relic from the past and something that belongs in a museum of internet history. I swear it hasn't changed in two decades. What nostalgia seeing SpinRite and the other corny messages and warnings. Looking over the pages brought back some old memories.

We never truly forget anything; we only ever forget how to remember.

If the IP on your router begins with anything from 100.64 to 100.127, then you are behind a CGN and will be seeing the behavior of the CGN on the test. NAT behaviors are not well standardized, and CGNs usually ration a pool of public IPs rather than just the port space on a single IP. So you may see some inconsistent behaviors, especially if the CGN is quick to release the binds in its translation table.

No not mean, just straightforward and direct :slight_smile: You're of course right regarding the advanced age of GRC and one should really be extremely careful about using such an old tool. I'll try with NMap.

1 Like

As a CGNAT customer, you have no control over the response to unsolicited incoming packets from the Internet. You can be fairly certain that they will not reach your router, but you still need a firewall just in case. Since incoming connections are not possible anyway, you can and should use a firewall that is completely closed.

1 Like