Comments Off on The Silent Connection: Configuring Firewalls to Drop Ping Requests
In the framework of digital sovereignty, maintaining a low profile on public or hostile networks is just as critical as encrypting your data payload. By default, most operating systems and routers respond to Internet Control Message Protocol (ICMP) Echo Requests—commonly known as pings. This default behavior means your machine actively announces its presence to automated network scanners and malicious actors searching for targets. Hardening your network “Pipes” means forcing your firewall to silently drop these requests, making your infrastructure invisible to basic network probes.
Stealth vs. Rejection
When a firewall encounters an ICMP packet, it can handle it in two ways: it can reject it, or it can drop it. Rejection sends an explicit ICMP Destination Unreachable message back to the sender, which still confirms that a machine exists at that IP address. Dropping the packet simply ignores it, leaving the sender to wait for a timeout. For the digital minimalist, a silent drop is the only logical choice; it leaves automated scanners assuming the IP address is completely unassigned.
Implementing ICMP Drops via nftables
If you are using a modern Linux environment like Peppermint OS, you can implement this rule directly into your nftables configuration file. By targeting the incoming filter chain, you can specify that any packet matching the echo-request type is discarded before it reaches system services.
nft add rule inet filter input icmp type echo-request drop
For networks utilizing IPv6, the strategy requires a slight modification. IPv6 relies heavily on ICMPv6 for basic network functionality like neighbor discovery and router solicitations. Completely blocking ICMPv6 will break your connection entirely. Therefore, your firewall rules must precisely target ICMPv6 echo-request types while leaving standard discovery protocols unhindered.
The Diagnostic Value of Silence
Forcing your system into stealth mode doesn’t just prevent network mapping; it also cuts down on unsolicited bandwidth usage. On crowded public links or low-throughput networks, filtering out background scanning traffic keeps your kernel focused exclusively on routing your active, encrypted tunnel data.
