ShieldsUP fails on the "ping".

Asked by turbolad

With gufw enabled and the setting "By Default" on "Deny" or "Reject", I run the ShieldsUP test, everything except the "Ping Reply" passes, so the result is always "FAILED".

How do I solve this?

To test your security, visit: https://www.grc.com/x/ne.dll?bh0bkyd2
Click "Proceed" then click "All Service Ports", wait a minute or two for the test to fully complete and make sure it says "PASSED".

I'm not an expert, but I've been told that *every* computer connected to the Internet must pass the ShieldsUP test. Why does mine keep saying "FAILED" and it's only on the "Ping Reply" bit?

Question information

Language:
English Edit question
Status:
Solved
For:
Gufw Edit question
Assignee:
No assignee Edit question
Solved by:
turbolad
Solved:
Last query:
Last reply:
Revision history for this message
costales (costales) said :
#1

Hi! ;)
Well, gufw allow the exit traffic (in the next version you can block exist traffic too), then YOU create a connection between your computer and the test.
With the inverse order of traffic, you will be safe.
Best regards.

Revision history for this message
turbolad (turbolad995) said :
#2

Thanks for your reply. Sorry, I don't understand what you're saying. Very confusing.

Revision history for this message
costales (costales) said :
#3

Don't worry ;)
You have 2 concepts: input and output traffic (traffic that your computer establish with other machine; and traffic that is establish by other machine to your machine).
Gufw only block the input traffic, then all output traffic is open and allow.
Any doubt? :)
Best regards.

Revision history for this message
turbolad (turbolad995) said :
#4

I don't feel comfortable having the "Ping" fail the ShieldsUP test. I can't see any option to "block" Ping.

Having previously used Windows, I've always been told that home computers must be completely invisible to everything online.

This definitely needs to be addressed. Personal computers running Linux should always PASS the ShieldsUP test from day one.

Revision history for this message
Soul-Sing (soulzing) said :
#5

Ping can be stopped with (g)ufw: http://ubuntuforums.org/showthread.php?t=1390075
but...shiels-up is stressing/testing your router, are you behind a router? So not (g)ufw.

Revision history for this message
Soul-Sing (soulzing) said :
#6

Additional info: you could test your computer for open ports with nmap or zenmap.

Revision history for this message
costales (costales) said :
#7

Windows, MacOx, GNU/Linux... are the ports open by defect.
Normally, the router has a firewall and all ports closed (with the problems for p2p), this is enough sucure for a normal desktop user.

Gufw give you secure from output attacks, if you establish a connection to other computer, is because you want it ;) But in the next version (in ubuntu 10.04), you will can block output traffic too.

If you like change the IP ping, you can, but you must edit a file ;)
http://ubuntuforums.org/showthread.php?t=773485
Comment this line:
-A ufw-before-input -p icmp --icmp-type echo-request -j ACCEPT
as:
#-A ufw-before-input -p icmp --icmp-type echo-request -j ACCEPT
in the file: /etc/ufw/before.rules

Best regards.

Revision history for this message
turbolad (turbolad995) said :
#8

I'm not behind a router, I use a cable modem to connect directly to the Internet.

Revision history for this message
costales (costales) said :
#9

You're complety safe with Gufw enabled and Deny all connections by default.
Why? Gufw is a frontend for ufw, and ufw is a frontend for iptables.
You have more information about the security in GNU/Linux here:
http://ubuntuforums.org/showthread.php?t=510812
Best regards.

Revision history for this message
Soul-Sing (soulzing) said :
#10

Many adsl modems do have a router (hardware firewall) build within.
I have such a modem/router, i do not pass the shieldsup test===> ping enabled.
but i have blocked ping in gufw. gufw is your second layer of protection behind your "router".
Remember ubuntu comes with a zero open port policy, as marcos said, you are perfectly safe behind
gufw.
The confusing comes from shields-up! Are all ports closed on shieldsup? It stresses your hardware firewall, not gufw! Please do run a nmap or zenmap, and there are prob. ports open.(tcp?)

Revision history for this message
turbolad (turbolad995) said :
#11

Thank you for helping me with gufw.

Following a link posted earlier, I did the following:

entered into the terminal:

gksudo gedit /etc/ufw/before.rules

Edited that file as recommended, saved it and restarted Ubuntu. Checked the firewall was enabled via System > Administration > Firewall configuration.

Ran the ShieldsUP test and now it says "PASSED". I'm NOT behind a router of any kind. I can understand, however, that some users who are behind a router e.g. a wireless router, will need to go into its settings and make sure everything is set fully secure, then save the settings. Such users may not be aware that ShieldsUP is actually testing the router and NOT the firewall installed on the computer.

***** I would strongly recommend that Ubuntu and other Linux distributions intended for home users include a pre-configured firewall which passes the ShieldsUP test. Windows XP SP2 and later versions of Windows include this with the "Windows Firewall", which I've been told starts early in the boot process. An equivalent firewall in Linux for home users should always be enabled and unobtrusive. Now I have that with gufw, but I'm very puzzled that you need to edit the "before.rules" file, I'm not sure many home users will have the patience to do that. *****

Again, thanks for your help. Much appreciated. :)

Revision history for this message
costales (costales) said :
#12

Thank you by use Gufw ;)
Cheers!

Revision history for this message
Soul-Sing (soulzing) said :
#13

***** I would strongly recommend that Ubuntu and other Linux distributions intended for home users include a pre-configured firewall which passes the ShieldsUP test. Windows XP SP2 and later versions of Windows include this with the "Windows Firewall", which I've been told starts early in the boot process. An equivalent firewall in Linux for home users should always be enabled and unobtrusive. Now I have that with gufw, but I'm very puzzled that you need to edit the "before.rules" file, I'm not sure many home users will have the patience to do that. *****

turbolad thank you for your feedback, this is also much appreciated. Maybe (g)ufw has an ambition to become the default (desktop?) firewall on Ubuntu, and Marcos is doing great things, for several years now.
Gufw itself is extrem. easy the set-up, but your point: passing the Shiels-up "ping-test" should be taken into account, earlier versions of Gufw had that "disable ping" option afaik.
Again thank you very taking the time asking questions and giving us great feed-back.
An additional outstanding how to : http://blog.bodhizazen.net/linux/firewall-ubuntu-gufw/
Makes it even possible to limit outbound traffic.

Revision history for this message
Soul-Sing (soulzing) said :
#14

: http://blog.bodhizazen.net/linux/firewall-ubuntu-desktops/
==>limit outbound connections with ufw

Revision history for this message
Christopher Forster (christopherforster) said :
#15

Try at your own risk! (as usual):
sudo ufw default deny && sudo ufw enable && sudo ufw allow out 53,137,138/udp && sudo ufw allow out 20,21,22,25,80,139,443,5900,8001/tcp && sudo ufw deny out to any && sudo ufw status numbered

See also: Shieldsup says "failed" when scanning https://bugs.launchpad.net/ubuntu/+bug/185793