# Disable incoming only icmp ping requests



## woodson2 (Jun 29, 2009)

I'm guessing this is done via sysctl..However when I grep for icmp I get the follwing output for IPV4 , none of which looks like the obvious winner...Can someone tell me how to do this without running a firewall?


```
net.inet.icmp.maskrepl: 0
net.inet.icmp.icmplim: 200
net.inet.icmp.bmcastecho: 0
net.inet.icmp.quotelen: 8
net.inet.icmp.reply_from_interface: 0
net.inet.icmp.reply_src: 
net.inet.icmp.icmplim_output: 1
net.inet.icmp.log_redirect: 0
net.inet.icmp.drop_redirect: 0
net.inet.icmp.maskfake: 0
net.inet.tcp.icmp_may_rst: 1
```


----------



## lyuts (Jun 30, 2009)

I'm using ipfw and one of its rules looks like this:


```
# Allow out ping
/sbin/ipfw -q add allow log icmp from any to any out via re0 setup keep-state
# Deny in ping
/sbin/ipfw -q add deny log icmp from any to $me any in via re0 setup keep-state
```


----------



## vivek (Jun 30, 2009)

Use firewall to block. A firewall must work in block only mode. For e.g. with pf:

```
icmp_types = "{ echoreq, unreach }"
# ...
block all
# ..
# If you want icmp ping uncomment the following 
# pass inet proto icmp all icmp-type $icmp_types keep state
```
See pf.conf man page for more details.


----------



## woodson2 (Jun 30, 2009)

Thank you both for your answers...So I take it this is a no go without running a firewall?


----------



## anomie (Jun 30, 2009)

woodson2 said:
			
		

> So I take it this is a no go without running a firewall?



I don't see an obvious way in the icmp(4) manpages. However, you could do a few things without a packet filtering firewall: 

 net.inet.icmp.icmplim = 1 (limit to 1 echo reply/second)
 net.inet.icmp.bmcastecho = 1 (do not reply to broadcast icmp requests)

IMO, disabling icmp echo requests is not a particularly worthwhile endeavor. I would be more concerned with discouraging unwanted tcp/udp connection requests, as outlined in the blackhole(4) manpages.


----------

