I'd like to block ICMP Echo Reply messages from leaving a Windows 10 computer, but still have Echo Requests come in.
I created an Outbound rule, but couldn't see which option to choose for replies.
Any suggestions?
Asked
Active
Viewed 1,154 times
0
-
This might be an [XY Problem](https://meta.stackexchange.com/questions/66377/what-is-the-xy-problem). Consider the points addressed here: http://shouldiblockicmp.com/ – Doug Deden Jun 28 '19 at 19:48
-
Thanks Doug. I've written a program which logs ICMP Echo Requests (think honeypot) and I would like to prevent the ICMP Echo Responses. – Fidel Jun 29 '19 at 03:51
2 Answers
1
Generally speaking there's really not a lot to gain from a security perspective by blocking ICMP replies, so if that's your main motivation it's probably more worthwhile to focus on other areas.
To answer your question, ICMPv4 Echo Reply has a Type of 0 (RFC 792), and the corresponding ICMPv6 Type is 129 (RFC 4443). In theory you should be able to allow inbound ICMP Echo requests and block these specific types of outbound traffic, but doing so has no discernible effect when I try it on a Windows Server 2012 R2 VM.
-
1Windows Firewall is stateful, which in rough terms means that if a packet is allowed, then the response to that packet is also allowed even if it otherwise wouldn't be. Usually that means allowing an incoming packet because it is in response to a previous outgoing packet, but perhaps it works the other way around as well? – Harry Johnston Jun 28 '19 at 09:28
0
As Mikael suggested, it is possible to create a rule which blocks outbound ICMP Echo Replies. Steps below.
However the rule has no discernible effect on the Echo Replies sent by Windows. It appears to only block Echo Replies originating from programs running in User Space.
Fidel
- 373
- 1
- 4
- 19