V4.31 allows incoming ping to interface

PeterUK
PeterUK Posts: 1,399  Guru Member
edited April 2021 in Security

So here I was testing thinking V4.31 fixed a issue I was having with FQDN only to go on GRC shields up! Only to see Ping Reply: RECEIVED (FAILED) hmmm... I have a test rule at the top of which is from OPT to ZyWALL any for source and destination service ICMP deny and this fails.

Tested on ZyWALL 110

Comments

  • Zyxel_Cooldia
    Zyxel_Cooldia Posts: 954  Zyxel Employee
    Hi @PeterUK,
    Do you mean that, you set a security policy to deny/drop ICMP packets from Internet to USG, however the USG still reply the ICMP?
    Could you share more information about this test tool and fail behavior?

  • PeterUK
    PeterUK Posts: 1,399  Guru Member
    edited April 2018

    Yes the USG still reply to ICMP and a security policy to deny/drop ICMP packets does not work.

    tested at GRC if you test any port it tests ICMP along with it

    https://www.grc.com/x/ne.dll?bh0bkyd2

  • PeterUK
    PeterUK Posts: 1,399  Guru Member
    edited April 2018

    More info

    I have rolled back to V4.30 and it does not have this issue

  • Zyxel_Cooldia
    Zyxel_Cooldia Posts: 954  Zyxel Employee
    Hi @PeterUK,
    I create a security policy rule from OPT to ZyWall, service is PING,  no matter action is deny or reject, It does not reply ICMP echo response
    ~~~~~~~~~~~~~~~~~~~~~~~~~~~Test result~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    Ping Echo: PASSED — Your system ignored and refused to reply to repeated Pings (ICMP Echo Requests) from our server.
    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    Can you send me the OPT packets capture(capture during testing) and device configuration file via private message
  • PeterUK
    PeterUK Posts: 1,399  Guru Member

    Are you testing with a ZyWALL 110 ?

  • PeterUK
    PeterUK Posts: 1,399  Guru Member
    edited April 2018

    So I went from 430AAAA0ITS-2018-01-09-180100142D to V4.31 and it was allowing ping regardless of the firewall rule. Went from V4.31 to V4.30 all is fine. And now went from V4.30 to V4.31 and now it blocks ICMP regardless of a firewall rule to allow it.

    So can you test that you can allow ICMP to ping the interface please.


  • PeterUK
    PeterUK Posts: 1,399  Guru Member
    edited May 2018

    .

  • PeterUK
    PeterUK Posts: 1,399  Guru Member
    edited May 2018

    So yes back to the ZyWALL 110 not allowing ICMP on OPT port.


  • PeterUK
    PeterUK Posts: 1,399  Guru Member

    Solved was a change to how ICMP is allowed with a bridge setup doing Real DMZ ICMP thats now allowed down the bridge by a rule from OPT to ZyWall by not doing a from WAN to DMZ.

Security Highlight