MotorolaWorldwide
Search
Service ProvidersBusinessConsumers
Home » Support » Broadband Equipment

Blocking Inbound Ping

NQG_102

Ping requests can be a useful troubleshooting tool for network connectivity, whether LAN or WAN. However, an abusive ping request, such as a ping of death, can adversely affect your network's performance. This technote will explain how to configure a filter set to block a ping request from the internet. For more information on ICMP Types & Codes see rfc792.

Please Note: This technote is written from the standpoint of implementing the Basic Firewall in the Netopia router, and that it hasn't been previously modified. If you have made changes to the preconfigured filter rules, you will need to adapt these instructions to suit your settings.

Please Note: If your router is currently running Netopia Residential Firmware with a web "GUI" configuration menu, this technote is not applicable to you. Most 3300 Series Netopia Gateways can be upgraded to Enterprise level firmware. Click Here! to purchase the upgrade key.

Related documents: Basic Firewall   |   NAT & the Basic Firewall

Firmware References:

  • v8.2 R1 (and up) - 3300 Enterprise Series
  • v5.3.7   (and up) - 4000 Series
  • v4.8.2   (and up) - R-Series

Before You Start

Telnet into the Netopia router's Main Menu at 192.168.1.1 (if using the default IP setting). If your network has a different IP addressing scheme, modify this accordingly. Click Here! for instructions on using telnet and Hyperterminal (serial connection).

Login with the user name and password. The Superuser login is required to save changes. If you are unsure of this, contact your network administrator.

Don't forget to press the Enter key to save any entries. Hitting the back space, delete or tab without first hitting enter will undo any changes.

The Esc key will take you back towards the main menu screen.

Once you have completed your configuration, you should reboot the Netopia to save and apply your changes.


The Netopia Main Menu Interface

Configuration

  1. From the Main Menu, go to System Configuration --> Filter Sets --> Display/Change Filter Set. Select Basic Firewall.
  2. Select Add Input Filter to Filter Set.
  3. Leave Enabled set to YES. Use the TAB key to set Forward to NO. Hit Enter to save your change.
  4. Leave Source IP Address & Mask, and Destination IP Address & Mask as all zero's (0.0.0.0).
  5. At Protocol Type, type in ICMP. Hit Enter.
  6. For ICMP Type Compare, select Equal. Set ICMP type to 8.
  7. Leave ICMP Code Compare at No Compare, and ICMP Code at 0.
  8. Select ADD THIS FILTER NOW.
  9. You will be back at the Display/Change Filter Set screen. Select Move Input Filter.
  10. Arrow down to the rule just created. It should be rule #6 if no other rules have been added to the Basic Firewall.
  11. Hit Enter to select the rule, then use the up arrow key to move it to just above the rule that allows all ICMP (rule #3 by default).
  12. Hit Enter to finish moving the rule. You will be back at the Display/Change Filter Set screen.

Your final input filter rules should look like this:






    -#----Source IP Addr----Dest IP Addr------Proto-Src.Port-D.Port--On?-Fwd-



   +-------------------------------------------------------------------------



     1    0.0.0.0           0.0.0.0           TCP   NC       =2000   Yes No



     2    0.0.0.0           0.0.0.0           TCP   NC       =6000   Yes No



     3    0.0.0.0           0.0.0.0           ICMP  =8       NC      Yes No



     4    0.0.0.0           0.0.0.0           ICMP  NC       NC      Yes Yes



     5    0.0.0.0           0.0.0.0           TCP   NC       >1023   Yes Yes



     6    0.0.0.0           0.0.0.0           UDP   NC       >1023   Yes Yes

Enable: Non-PPPoE in the 910/9100/Ethernet Router

  1. Escape back to Main Menu.
  2. Enter the WAN Configuration...
  3. Enter the WAN (Wide Are Network) Setup...
  4. Enter the EN (WAN Module 1) Setup... field.
  5. Select and hit Enter on Filter Set....
  6. In the pop-up window, select and hit Enter on the filter set that you have just modified to enable it, and then Escape back to the Main Menu.
  7. Restart the router to ensure any changes are fully implemented.

Enable: Enterprise, 4000 Series, R-Series and Ethernet negotiating PPPoE

  1. Escape back to Main Menu.
  2. Enter the WAN Configuration...
  3. Enter the Display/Change Connection Profile... field.
  4. Enter the Easy Setup Profile (or the name of your internet connection profile, if different).
  5. Scroll down and Enter the IP Profile Parameters... field.
  6. Select and Enter the Filter Set... field.
  7. In the pop-up window, select and hit Enter on the filter set that you have just modified to enable it, and then
  8. Escape back one screen and hit Enter on COMMIT.
  9. Escape back to the Main Menu.
  10. Restart the router to ensure any changes are fully implemented.

Conclusion

This will now prohibit ping response from the WAN interface of the router.


www.motorola.com  |  Terms of Use  |  Privacy Statement   |  Media Center  |  Site Map  |  Contact Us
© 2008 Netopia, Inc., a Motorola Company. All rights reserved.