Can still ping IP even though only 1 droplet allowed via SSH

Posted February 4, 2017 1.6k views
SecurityUbuntu 16.04


I have 2 droplets, one containing my DB and one my app.

The DB droplet i have UFW installed allowing only the IP of the droplet of my app however when I ping the IP from my laptop it returns data.

Is this supposed to be - I would have expected it to not do that?

Only my app droplet should have access to that DB droplet - absolutely nothing else.


These answers are provided by our Community. If you find them useful, show some love by clicking the heart. If you run into issues leave a comment, or add your own answer to help others.

Submit an Answer
2 answers


You’ll need to edit /etc/ufw/before.rules and modify two lines – in both cases, we’re replacing ACCEPT with DROP.


-A ufw-before-input -p icmp --icmp-type echo-request -j ACCEPT


-A ufw-before-input -p icmp --icmp-type echo-request -j DROP


-A ufw-before-forward -p icmp --icmp-type echo-request -j ACCEPT


-A ufw-before-forward -p icmp --icmp-type echo-request -j DROP

… and then run sudo ufw disable && sudo ufw enable.

You can also edit /etc/sysctl.conf and drop in:


… then run sudo sysctl -p to load the changes.

Once these changes have been made, you should see something similar to:

Request timeout for icmp_seq 0
Request timeout for icmp_seq 1
Request timeout for icmp_seq 2
Request timeout for icmp_seq 3

Thanks - so as a security precaution is something commonly followed? (I only randomly thought about it).

Also - is there anything else I should also implement in addition to my UFW? Setting up fail2ban later today as well?