To follow the "stealth" philosophy (which is dubious, but something the GRC guy fully believes in) change the wan default input policy from REJECT to DROP and remove the allow-ping rule entirely.
If your ISP is using CG-NAT they probably answer ping requests in their edge router and they are never reaching you in any case.
Thanks. Without changing anything I have now repeated the test, several times, also after restarting the firewall. The ICMP failure is now gone but now the ports 135, 139 and 445 show as closed instead of stealthed. At the time of my original post it was the other way around, all ports stealth and ICMP failing.
Then I did the changes as you suggested. Restarted the firewall and retested. All tests returned the identical result: ICMP failure gone but ports 135, 139 and 445 closed instead of stealthed. Then I returned the firewall to its original state and restarted it.
While writing this answer, I re-run the test. This time everything shows as stealth.
Your remark about the ISP is most probably the explanation. They are using CG-NAT and GRC in fact tests their edge router. The IP address shown in GRC test is different from my public address as reported by my router and by https://whatismyipaddress.com/.
I hope this doesn't come across as mean but that website feels like a relic from the past and something that belongs in a museum of internet history. I swear it hasn't changed in two decades. What nostalgia seeing SpinRite and the other corny messages and warnings. Looking over the pages brought back some old memories.
We never truly forget anything; we only ever forget how to remember.
If the IP on your router begins with anything from 100.64 to 100.127, then you are behind a CGN and will be seeing the behavior of the CGN on the test. NAT behaviors are not well standardized, and CGNs usually ration a pool of public IPs rather than just the port space on a single IP. So you may see some inconsistent behaviors, especially if the CGN is quick to release the binds in its translation table.
No not mean, just straightforward and direct You're of course right regarding the advanced age of GRC and one should really be extremely careful about using such an old tool. I'll try with NMap.
As a CGNAT customer, you have no control over the response to unsolicited incoming packets from the Internet. You can be fairly certain that they will not reach your router, but you still need a firewall just in case. Since incoming connections are not possible anyway, you can and should use a firewall that is completely closed.
You're of course right regarding the advanced age of GRC and one should really be extremely careful about using such an old tool. I'll try with NMap.