Warning: This change will be reverted after reboot or firewalla service restarts.
1. Login via SSH in the local network. The username is pi and the password can be found in "Advanced" -> "Configuration" -> "SSH Console"
2. Run the following command:
sudo iptables -A FW_INPUT_DROP -i $(frcc | jq -r '.routing.global.default.viaIntf') -p icmp -j FW_DROP
Note: This will disable ping from outside to WAN interfaces, it will not stop you from pinging WAN interfaces from your local LAN networks.
Any plans to make this persistent?
Seems to be broken for dual lan configuration
pi@firewalla:~ (Firewalla) $ sudo iptables -A FW_INPUT_DROP -i $(frcc | jq -r '.routing.global.default.viaIntf') -p icmp -j FW_DROP
jq - commandline JSON processor [version 1.5-1-a5b5cbe]
Usage: jq [options] <jq filter> [file...]
jq is a tool for processing JSON inputs, applying the
given filter to its JSON text inputs and producing the
filter's results as JSON on standard output.
The simplest filter is ., which is the identity filter,
copying jq's input to its output unmodified (except for
But this seems to work
sudo iptables -A FW_INPUT_DROP -i eth0 -p icmp -j FW_DROP
sudo iptables -A FW_INPUT_DROP -i eth1 -p icmp -j FW_DROP
Thanks for the feedback. Yes, it does not support dual WAN currently. And the alias of frcc is changed in 1.971. We will eventually make this configurable via the app.
I had to replace $() with eth0
BTW as soon as I ran this command, the WAN network ping test failed. The WAN network now has a red dot and I got an alarm saying "internet connectivity change" and that the connectivity was down. Haven't lost connectivity though.
sudo iptables -A FW_INPUT_DROP -i eth0 -p icmp --icmp-type 8 -j FW_DROP
should work for single WAN.
sudo iptables -A FW_INPUT_DROP -i eth1 -p icmp --icmp-type 8 -j FW_DROP
if you are using dual WAN.
I put these in a startup script in
until Firewalla makes this configurable.
keep in mind this assumes that you are using FW ports 4 and 3. If you change which ports are your WAN you need to change the the choices accordingly.
that did the trick. the key was "icmp-type 8" Thank you.
Glad it worked. All credit goes to Firewalla! I just passed it along.
Please sign in to leave a comment.