External Ping on WAN not being blocked did I set the rules correctly

munson

I tried to block an external ping and SSH on my WAN Port. SSH is blocked Yet when I externally ping I still get a response. Here are the rules.
.

Here is a screenshot from my phone with the Wi-Fi off (only using LTE) responding to a ping request.

What is wrong with the rules?

johnpoz

There is no need to create such rules, unless you have a rule below them that allows all, etc.

Out of the box pfsense does not answer ping, nor would ssh be allowed. There are not rules on the wan interface out of the box. So all unsolicited traffic would be dropped.

Do you have some floating rule that would allow it? Floating tab is evaluated before interface rules.

Where exactly are you pinging that IP from - if your internal on your lan - then your lan rules would allow it, default any any and yeah you would get an answer.

Also if there is a state there, and you put in that rule to block - you would have to clear any existing states. Or wait for them to time out, etc.

edit:
I am able to ping that IP.. You sure that is pfsense wan? Check for floating tab rule. You sure there is not something in front of pfsense?

I get no answer from ssh.. I would sniff on pfsense wan - do you see traffic hitting you? Its possible something upstream of you is answering for that..

munson

@johnpoz
Thank you, I believe I have found the cause.

Do you have some floating rule that would allow it? Floating tab is evaluated before interface rules.

Yes there are floating rules. Apparently they were installed with one of my services, which responds to an echoreq of an ICMP packet. I tried to disable to that rule, but the service no longer works. I will have to allow pfSense to respond to a ping for the service to function. Not what I was hoping for.

Where exactly are you pinging that IP from - if your internal on your lan - then your lan rules would allow it, default any any and yeah you would get an answer.
Also if there is a state there, and you put in that rule to block - you would have to clear any existing states. Or wait for them to time out, etc.

I pinged externally from the LAN with my phone using LTE having it's wifi turned off.

Thanks again.

johnpoz

I allow ping on my wan - on purpose ;) It a very useful function.. Its not going to stop someone from finding you because it doesn't answer ping ;)

Do you really think all the bots looking for ports XYZ that are open, try ping first - well no answer there, must not be any other ports open either ;) hehehe

I have a couple different services that ping my wan IP - and let me know when it doesn't answer. So I know via text and emails that my internet is down.. status cake and uptime robot are free - and this is a great service to leverage.