Objective
The objective is to configure the default UFW firewall on Ubuntu 18.04 to deny any incoming ICMP ping requests.
Operating System and Software Versions
- Operating System: – Ubuntu 18.04 Bionic Beaver
Requirements
Privileged access to to your Ubuntu 18.04 Bionic Beaver installation will be required.
Conventions
- # – requires given linux commands to be executed with root privileges either directly as a root user or by use of
sudo
command - $ – requires given linux commands to be executed as a regular non-privileged user
Instructions
Update UFW rules
In order to deny any incoming ICMP ping requests we need to modify /etc/ufw/before.rules
UFW’s configuration file. First, make a backup copy:
$ sudo cp /etc/ufw/before.rules /etc/ufw/before.rules_backup
Next, open the file with root privileges using your favorite text editor and change:
FROM:
# ok icmp codes for INPUT -A ufw-before-input -p icmp --icmp-type destination-unreachable -j ACCEPT -A ufw-before-input -p icmp --icmp-type source-quench -j ACCEPT -A ufw-before-input -p icmp --icmp-type time-exceeded -j ACCEPT -A ufw-before-input -p icmp --icmp-type parameter-problem -j ACCEPT -A ufw-before-input -p icmp --icmp-type echo-request -j ACCEPT
TO:
# ok icmp codes for INPUT -A ufw-before-input -p icmp --icmp-type destination-unreachable -j DROP -A ufw-before-input -p icmp --icmp-type source-quench -j DROP -A ufw-before-input -p icmp --icmp-type time-exceeded -j DROP -A ufw-before-input -p icmp --icmp-type parameter-problem -j DROP -A ufw-before-input -p icmp --icmp-type echo-request -j DROP
Alternatively, use the below sed
command to perform the change:
$ sudo sed -i '/ufw-before-input.*icmp/s/ACCEPT/DROP/g' /etc/ufw/before.rules
Enable Firewall
Enable UFW firewall using the following linux command:
$ sudo ufw enable
Alternatively, if your firewall is already enabled you can reload it with:
$ sudo ufw reload