Shields Up test follow up

Installing and Using OpenWrt Network and Wireless Configuration
1

I am failing a portion of the grc.com "Shields Up" test with this message:

Ping Reply: RECEIVED (FAILED) — Your system REPLIED to our Ping (ICMP Echo) requests, making it visible on the Internet. Most personal firewalls can be configured to block, drop, and ignore such ping requests in order to better hide systems from hackers. This is highly recommended since "Ping" is among the oldest and most common methods used to locate systems prior to further exploitation.

In my OpenWrt 24.10 Firewall - Traffic Rules, I set Allow-Ping and Allow-ICMPv6-Input to drop and restarted my router and verified settings, still getting the above message from Shields Up.

What am I doing wrong?

2

Do you have a public IP address on your WAN interface?

2 Likes
3

Yes, the one assigned by Spectrum cable.

4
5

Thanks. I am still interested in getting ICMP drop from my router out.

My last attempt still not getting it done:

image
image695×755 41.4 KB

6

Could you post your /etc/config/firewall config in a code-block here? Please redact any sensitive info before posting it.

1 Like
7

Fact is, as soon as you are on the internet, you are 'visible' - regardless of ping or no ping. While ICMP ECHO and ~REPLY are mostly a diagnostic tool for IPv4 (but they may be and important part in connection establishment for games and similar things where responsiveness matters), it is an essential part for IPv6 and cannot be disabled there.

GRC's explanations are overly alarmist here, ping is not a security risk - and your attackers already know if you're there or not anyways. By disabling it, you only hurt yourself.

1 Like
8

@slh / @moeller0:
For someone whose WAN zone is currently set to 'drop' for the INPUT chain, do you have a recommended ICMP rule for IPv4? Or do you recommend just opening all ICMP (including all ICMP types) to be accepted to the WAN zone?

Or, perhaps you were speaking in the context of not blocking outbound ICMP of any type?

Just looking for clarification here. Thanks! :slight_smile:

FWIW, I am asking specifically in the context of ICMP[v4] and not ICMPv6.

9

The only ICMPv4 allowed by the default firewall is echo-request. To adhere to GRC recommendations (not recommended), set wan default input to DROP and remove or disable the Allow-Ping traffic rule.

2 Likes
10

Is this where I change input to drop, if so I did that and that reject on the left did not change and GRC still reporting the my router is responding to a echo-request.

image
image1433×104 9.46 KB

After reading the supplied links and post I will likely not keep this setting, but I would like to get it working as part of my education.

1 Like
11

Yes. Did you also do this:

?

There's 2 changes to be made:

  • Change the WAN Zone Input rule from Reject to Drop (you can also change Forward too)
  • Disable or delete ICMP Echo-Request rule

This assumes OpenWrt-default firewall settings when proceeding.

12

Thanks for all the help, I am good for now.

1 Like
13

What device actually owns your public IP address? Are you sure its your openwrt router? Or do you have a device from your ISP in front of it, in your house?

14

Any luck?
You could try:

nftables rule - harder, or sysctl - easier :slightly_smiling_face:

For sysctl, go to luci webpage > system > startup > local startup

You are looking to add this rule: sysctl -w net.ipv4.icmp_echo_ignore_all=1