Results 1 to 8 of 8

Thread: How can I block ping(ICMP echo) by setting zone rules?

  1. #1
    eyesineyes Guest

    Default How can I block ping(ICMP echo) by setting zone rules?

    I want to block all incoming and outgoing ping by setting zone rules. So I ticked those settings of block incoming/outgoing ICMP in both trusted and internet zone property pages. Local network users cannot ping me, but ,unfortunately, I still can ping those computers located in both trusted and internet zones. Could anyone can tell me how to block ping with zone rules? Or do I have to block ping in program control? I've though no matter how I set up the program setting in program control, zone rules can always block them. But it seems I am wrong.

    Can anybody tell me how many layers Zonealarm pro has and in what kind of sequence those layers are set up.

    The following sequence of layers is what I think those layer should be, but it seems they are not working the way like I want them to.

    Global Expert Firewall rules -> Zone rules -> Program Expert rules -> Program rules -> OSFirewall.
    ->: incoming -utgoing

    Operating System:Windows XP Pro
    Software Version:7.0
    Product Name:ZoneAlarm Pro

  2. #2
    Join Date
    Dec 2005
    Posts
    9,057

    Default Re: How can I block ping(ICMP echo) by setting zone rules?

    Blocking some of the ICMP is recommended, but blocking all of the ICMP is not recommended or workable. There are some bare neccessities of a few ICMP needed which are required d to have an actual connection established and obtain the assigned IP and so forth.
    At the very least, the "Echo Reply (0)" Out and "Echo Request (8)" are needed to be allowed (responses to Pings).
    The "Destination Unreachable (3)" Out and "Time Exceeded for a Datagram (11)" Out are needed (last is needed for responses to Tracert). I would allow the IGMP as well. It is not a security risk if the other networked devices and computers of the LAN ping each other. There maybe some if the pings are going and accepted from the internet. However the router or NAT enabled modem usually has provisions to not accept incoming pings from the internet- thus protecting the LAN in the first place.

    I assumed you have made adjustments in the Custom of the Firewall for altering the ICMP control. This is usually a dirty and quick method. If the correct and proper adjustment are wanted to be used, not only for the ICMP, but the extra fine tuning of the Expert (in the Programs Listing) in should be performed in the Expert of the Firewall.
    The Expert of the Program and the Expert of the Firewall must work together and this will enhance security and application control as well as performing the advanced networking.

    Both Experts sections must have the rules be laid out or numbered in the correct sequence or the networking/desired effect will fail.

    Oldsod

    Message Edited by Oldsod on 01-13-2008 12:39 PM
    Best regards.
    oldsod

  3. #3
    eyesineyes Guest

    Default Re: How can I block ping(ICMP echo) by setting zone rules?

    Thank you so much, Oldsod.

    I tried to tick the settings(Block incoming ping(ICMP echo) and Block outgoing ping(ICMP echo)) in the Custom of Internet Zone Security and Trusted Zone Security. But it seemed only incoming ping was blocked, it didn't work on outgoing pings when I pinged other PC. The outgoing ping went all way through the ZA Pro and I got remote PC's responses.

    I feel confused. @@

  4. #4
    Join Date
    Dec 2005
    Posts
    9,057

    Default Re: How can I block ping(ICMP echo) by setting zone rules?

    There is no distinct ICMP Echo, if I understand your post/question correctly.
    The Echos exists as two seperate breaksdown into the ICMP Echo Reply (type 0) and the ICMP Echo Request (type 8). In order for the PC to have actual networking the Echo Request is allowed in (but out is not needed) and the Echo Reply is allowed out (but the in is not needed).
    Furthermore the ICMP Destination Unreachable (type 3) and the ICMP Time Exceeded (type 11) are also needed to be allowed out (but in is not needed). This is the barest minimum to have a working networking - often other ICMP types are needed for many other kinds of networking. See here for a list of ICMP Types and here for details.

    Oldsod
    Best regards.
    oldsod

  5. #5
    eyesineyes Guest

    Default Re: How can I block ping(ICMP echo) by setting zone rules?

    Then what are these ICMP related settings for( located in Firewall->Main->Custom, you may also check out the attached image link) in Zonealarm Firewall Pro 7? Can they actually block incoming ping and outgoing ping, regardless of whether network is working or not?


    http://img86.imageshack.us/img86/1318/capturedyv5.jpg

    Message Edited by eyesineyes on 01-13-2008 09:32 PM

  6. #6
    Join Date
    Dec 2005
    Posts
    9,057

    Default Re: How can I block ping(ICMP echo) by setting zone rules?

    <blockquote><hr>eyesineyes wrote:
    Then what are these ICMP related settings for( located in Firewall->Main->Custom, you may also check out the attached image link) in Zonealarm Firewall Pro 7? Can they actually block incoming ping and outgoing ping, regardless of whether network is working or not?


    http://img86.imageshack.us/img86/1318/capturedyv5.jpg

    Message Edited by eyesineyes on 01-13-2008 09:32 PM
    <hr></blockquote>

    <center></center>

    Yes but the ZA skips the Reply and Request labels. So it will block the ICMP Echo Request out but not in and the ICMP Echo Reply in but not out. There are two distinct directions for each of the Echo and Request. Not one but two types and two different directions. No one can block off all of the ICMP and then use networking - it just will no longer work anymore. There has to be some of the basic ICMPs allowed. Any ways, the default ICMP settings of the ZA are sufficent for security and for a functioning internet/networking.
    Then again the ICMP does not really present any kind of a security threat. If a PC replies to pings, it just means it is there - this happens anyways, the IP is given away by other means, But either the ICMP or the other methods will still not open any ports. It will not happen. The firewalling security is still intact and cannot be sabotaged by simplely the ICMP.

    If you really want ot control the basic ICMP Echo Reply and Echo Request, then use the Exert Rules of the Firewall. Like this one that I use (evenihis t can be adjusted for the high security, but with less functionality/useability)

    <center></center>

    If you are looking for easier setup, then set the Trusted Security Zone slider to High instead of Medium ...

    <center></center>

    Oldsod

    Message Edited by Oldsod on 01-14-2008 10:04 AM
    Best regards.
    oldsod

  7. #7
    eyesineyes Guest

    Default Re: How can I block ping(ICMP echo) by setting zone rules?

    If I don't misunderstand what you've said, you mean by ticking those two settings, which I did, I cannot ping other remote PCs, since ICMP Echo Request out has been blocked, and my PC will not respond to any incoming pings, since ICMP Echo Reply in has been blocked, am I right?

    As the result of my testing, Yes, my PC is not responding to incoming pings, but, NO, ZA doesn't block my outgoing pings. I don't know why, but, I think, it's maybe due to the rule of &quot;TCP/IP Ping&quot; in Program Control List, which I've authorized the ping.exe to access internet, has overrided (is it possible?) the zone settings.

    Anyway, thank you, Oldsod, for your patience and informative narration. It seems I am lack of some knowledge of ICMP. I will go study on it.I'll test your expert settings on my PC to see if it works for me, too.

    Thank you again.

    Tony

    Message Edited by eyesineyes on 01-14-2008 07:51 AM

    Message Edited by eyesineyes on 01-14-2008 07:52 AM

  8. #8
    Join Date
    Dec 2005
    Posts
    9,057

    Default Re: How can I block ping(ICMP echo) by setting zone rules?

    I am going to say it one more time - You Can Not Block Off All of the ICMP! This will make the PC non-functional. This is the last time I am repeating myself.

    The host sends an echo request to the target. The target then responds with a echo reply. If this
    does not happen, then the networking is nonfunctional. If this happens the other way around, it is then wrong.

    In the normal course of things, you want to connect to a server - it gets the ping sent from your PC. Thus the ICMP is allowed out. A distinct ICMP "reply" is sent back to your PC, it is allowed in. If it the wrong ICMP "reply" it is denied.
    If that same server pings your PC, then the ICMP is dropped or refused. If it is a request, it is allowed. Then further connections are tried - if these connections were never initially established from your PC, then these will be dropped and that server is no longer chatting. Thus the ICMP requests in and out and the ICMP reply in and out are determined. This all occurs even before the three way handshake begins, that will finally establish the usual TCP connections.

    Do not go by my settings in the above .gif as a template, I have allowed one of the ICMP directions not particularely needed. But the previous posts above do list the correctly needed ICMP and the directions- these are the minimum. Also the general Gateway ruling could be futher enhanced - not an issue for me as I have the LAN setup with double NAT and an extra hardware firewall.

    Oldsod

    Message Edited by Oldsod on 01-14-2008 11:36 AM
    Best regards.
    oldsod

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •