Totally Stealthy Router

In response to the post detailing router response to port scans, one of my readers asked an interesting question:

“I was wondering if there was a way to prevent the router from sending those TCP RST packets administratively prohibited ICMP messages back to scanners for TCP and UDP respectively. I basically want my router to drop all packets period without replying back in any way, shape, form, or fashion.”

Here's how you do it:

  • No TCP RST packets should be sent as responses to port scans. Inbound access list dropping all IP packets achieves that.
  • Outbound traffic, both from the protected LAN as well as from the router itself (ping, telnet, DNS, NTP ...) should be allowed. Configure ip inspect with router-traffic option.
  • Disable generation of ICMP unreachables with the no ip unreachables interface configuration command.

The relevant parts of router configuration are included below:

ip inspect name Internet tcp router-traffic
ip inspect name Internet udp router-traffic
ip inspect name Internet icmp router-traffic
interface FastEthernet0/0
 ip address a.b.c.d x.y.z.w
 ip access-group Internet in
 no ip unreachables
 ip inspect Internet out
ip access-list extended Internet
 deny ip any any


  • The sample router configuration is taken from a SOHO router doing PAT on the public interface. You might have to adjust the Internet access-list to your needs.
  • ip inspect functionality has been replaced by zone-based firewall feature.


  1. First off, I'd like to say your blog rocks!!! I love it, thank you so much.


    I'd like to point out that I've been messing with the inspect rules -- and instead of useing tcp, udp and icmp statements, the 'ip' does all three. Just thought you could use that tidbit here. I also played with allowing specific ports before the inspect, it keeps those from being generated on the other side. (I have explicit allows in for a port both udp and tcp that I thought would be redundant in the inspect espeecially since there's tons of connections on those ports.)

    The way you implemented it gives me a great idea on keeping things simple too. I had three lists set up where you have one and I think it'll trim down my fw. Thanks again!!!

    [email protected]
Add comment