The officially official Devuan Forum!

You are not logged in.

#1 2017-09-29 14:43:02

MiyoLinux
Member
Registered: 2016-12-05
Posts: 1,323  

UFW Rules: Can anyone confirm this?

I read that someone entered these rules for UFW, and it resulted in their computer being completely invisible on the internet. I'm wondering if someone more familiar with UFW rules (than I am) can confirm this. Here are the before.rules that they listed...

    -A ufw-before-input -p icmp --icmp-type destination-unreachable -j DROP
    -A ufw-before-input -p icmp --icmp-type source-quench -j DROP
    -A ufw-before-input -p icmp --icmp-type time-exceeded -j DROP
    -A ufw-before-input -p icmp --icmp-type parameter-problem -j DROP
    -A ufw-before-input -p icmp --icmp-type echo-request -j DROP

I have been Devuanated, and my practice in the art of Devuanism shall continue until my Devuanization is complete. Until then, I will strive to continue in my understanding of Devuanchology, Devuanprocity, and Devuanivity.

Veni, vidi, vici vdevuaned. I came, I saw, I Devuaned. wink

Offline

#2 2017-09-29 21:34:53

Racoton
Member
Registered: 2017-06-01
Posts: 25  

Re: UFW Rules: Can anyone confirm this?

"Completely invisible" there is nothing connected to a network. If you use those rules and for example do not block arp queries, your machine will not be "invisible" to the curious and resourceful minds.

Offline

#3 2017-09-30 00:46:43

MiyoLinux
Member
Registered: 2016-12-05
Posts: 1,323  

Re: UFW Rules: Can anyone confirm this?

Thanks Racoton.


I have been Devuanated, and my practice in the art of Devuanism shall continue until my Devuanization is complete. Until then, I will strive to continue in my understanding of Devuanchology, Devuanprocity, and Devuanivity.

Veni, vidi, vici vdevuaned. I came, I saw, I Devuaned. wink

Offline

#4 2017-10-02 12:37:46

JoshuaFlynn
Member
Registered: 2017-09-09
Posts: 48  

Re: UFW Rules: Can anyone confirm this?

Those specific rules, to my knowledge, block the ICMP port (something that, strangely, you can't block using the graphical front end of GUFW), which means your computer would be invisible in the sense of replying to pings, but that's only on the ICMP port.

If your computer 'reaches out' via some other port, then it won't be entirely invisible, likewise if there are any ports that are open or explicitly give rejection messages (as opposed to simply dropping them).

If you want to determine how 'quiet' your machine is, from an external machine (there are some limited capacity sites that offer this) you will want to try to use nmap to do a full blown port scan coupled with an OS detection attempt on your given external IP.

If nmap detects any services, ports in use, or is able to guess it's OS (with reasonable accuracy), then it's not 'quiet' (I use 'quiet' to distinguish from 'invisible' because nothing is truly invisible, even airgapped networks can be penetrated). Naturally, if you connect to any web service then that service knows you're active. Even if your system is 'quiet' a Trojan or backdoor could still 'leak' information out.

It's also worth noting that even if your own machine is 'quiet', your router might not be.

Regardless, it's a good idea to keep the ping reply 'quiet' on a system, because part of avoiding an attack is not letting an attacker know there is something there to be attacked.

Offline

#5 2017-10-02 21:20:17

ralph.ronnquist
Administrator
From: Clifton Hill, Victoria, AUS
Registered: 2016-11-30
Posts: 1,100  

Re: UFW Rules: Can anyone confirm this?

To be clear, ICMP is a protocol and not a port; it's the Internet Control Message Protocol, whereby routers may exchange meta-data about IP level connectivity. There are several networking protocols to consider, both within the IP class (such as in particular TCP and UDP), and outside the IP class (in a range of varying obscurity).

As said before, there is no such thing as "invisible" on the Internet, short of not being connected at all. But there is a gray scale of "protection layers" of setting blockages for certain network traffic, depending on how you want your host to handle it. I'.e., like the rules you showed on top, which indeed tells the host to drop certain incoming ICMP packets, rather than deliver them to their normal handling (by the kernel). I think you'd do well in dropping IGMP as well, and then consider blocks for TCP and UDP messaging, which offer the majority of intentionally harmful networking.

Offline

Board footer