Hello!

i am wondering if is it useful and helpful to raise up my security level, if i block the response ICMP messages to avoid the possiblity to find my open UDP ports externally.

if so, what would be the best firewall rule pls? (to block only this response and not all ICMP messages)

i have built up some honeypot and security measures on my firewall, but i need your expertise to help if the above could raise up further the security of my MT router?

i am reffering to those statements about UDP ports:

When a generic UDP packet is sent to a UDP port of a remote host, one of the following occurs:
If the UDP port is open, the packet is accepted, no response packet is sent.
If the UDP port is closed, an ICMP packet is sent in response with the appropriate error code such as Destination Unreachable.

as a result, i am aiming the following: if no ICMP response sent to any UDP port, this is hardly possible to see which port is open/closed. (as no difference between the responses)

thanks for your comments/advises in advance!

If you block ports using "drop" instead of "reject", no ICMP message is sent.

If you block ports using "drop" instead of "reject", no ICMP message is sent.

thanks!

i am using generally the basic rule, to drop everything on input at the end of the other input rules. (top of it of course there is an accept for the opened port for WG for example)

so with this setup, do you think the port scanners cannot see difference between open and closed UDP ports?

(as far as i know WireGuard, if doesn’t get the proper key, packet is dropped, so the scanner cannot see if this port is open)

thanks for advices!

There is no security risk to expose ICMP as far as I am aware but it does impeded troubleshooting and some router functionality if needed.