LinuxQuestions.org
Share your knowledge at the LQ Wiki.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices

Reply
 
Search this Thread
Old 12-29-2004, 04:15 AM   #1
nirav.jani
Member
 
Registered: Nov 2004
Location: Hyderabad, India
Distribution: Fedora Core - II, RedHat - 9
Posts: 45

Rep: Reputation: 15
Question To Stop Ping Request Which Way Is Good


Hi all,
I am a new guy to linux security issues
I found two ways to stop ping requests, which is prefferable and why ?
one is
/bin/echo "1" > /proc/sys/net/ipv4/icmp_echo_ignore_all

another is
iptables -A INPUT -p ICMP -i eth1 -j DROP

where I am taking the eth1 as a connection of my server to outer world that is internet.

Can any body guide me regarding to this?

And yes i also wanted to know that where to get the help of using "icmp_echo_ignore_all" file or all such files, ( !!! though they are very well known by their name itself)

thanx in advance
Nirav


--------------------
How can you assume that I am going to ask intelligent questions
 
Old 12-29-2004, 05:28 AM   #2
Cron
Member
 
Registered: Jun 2004
Location: Lithuania
Distribution: FreeBSD, Arch, Ubuntu
Posts: 145

Rep: Reputation: 15
Do not know, but I use firewall one . Never heard of the above.
 
Old 12-29-2004, 06:00 AM   #3
nirav.jani
Member
 
Registered: Nov 2004
Location: Hyderabad, India
Distribution: Fedora Core - II, RedHat - 9
Posts: 45

Original Poster
Rep: Reputation: 15
ok no probs, stopping ping requests is a important function in implementing firewall functionalities, ping requests are using ICMP protocols, you can go through the details by googling it.
anyway let other experienced guys try it out to solve
nj
 
Old 12-29-2004, 06:20 AM   #4
masand
Guru
 
Registered: May 2003
Location: INDIA
Distribution: Ubuntu, Solaris,CentOS
Posts: 5,522

Rep: Reputation: 58
hi there

it is more easy to configure iptables based Firewalls
there u can easliy drop/reject icmp packets
u can write iptables script but that is a long work
also shorewall is a good Iptables based F/W

regards
 
Old 12-29-2004, 07:13 AM   #5
nirav.jani
Member
 
Registered: Nov 2004
Location: Hyderabad, India
Distribution: Fedora Core - II, RedHat - 9
Posts: 45

Original Poster
Rep: Reputation: 15
Friends,

There are many firewalls available online and yes shorewall is a good one, and I have already installed it on my machine. Even a lot of under the gpl.

Yes this is one benifit that to configure a firewall using iptables command is quite easy but my question lies somewhere else, I am reiterating it once again, I want to know that which method is more efficient and prefferable and why as well as where we can get help of using the method which is not using the iptables command
thanx in advance
nj
 
Old 12-31-2004, 01:15 AM   #6
nirav.jani
Member
 
Registered: Nov 2004
Location: Hyderabad, India
Distribution: Fedora Core - II, RedHat - 9
Posts: 45

Original Poster
Rep: Reputation: 15
To solve this problem is urgent,
can any body help me ?
please
thanx in advance
nirav
 
Old 01-03-2005, 10:49 AM   #7
masand
Guru
 
Registered: May 2003
Location: INDIA
Distribution: Ubuntu, Solaris,CentOS
Posts: 5,522

Rep: Reputation: 58
hi there

what i got to know is that if u go by the FW way u have more control i.e u can allow ICMP at local level but not from outside
but if u go through the other u will be blocking all ICMP(local+internet)
also in both case the packet will be checked if it is ICMP by the same method, so no difference on which will be fast etc etc

this what i could gather

regards
 
Old 01-03-2005, 01:57 PM   #8
twsnnva
Member
 
Registered: Oct 2003
Location: Newport News, Va
Distribution: Debian
Posts: 246

Rep: Reputation: 30
I would use something like this.
Code:
iptables -A INPUT -p icmp  -m limit --limit 1/s  -j ACCEPT
This will limit icmp packets that your firewall will accept per second. This setting is for 1 packet per second. This will protect you from DOS attacks, while allowing you to still ping your box. I use rsync to sync two servers, when the main server goes down the second automatically assumes the others IP address, the second server uses ping to make sure the main server is still there, so a rule like this fits my needs very well. If you want to completely drop all icmp packets, masand has very good advice.

Thomas
 
Old 01-03-2005, 05:07 PM   #9
Capt_Caveman
Senior Member
 
Registered: Mar 2003
Distribution: Fedora
Posts: 3,658

Rep: Reputation: 57
There actually is a slight difference in those two ways of blocking ping. The IPtables rule will block all types of ICMP traffic, which can have negative effects. Depending on how you implement that rule, other types of ICMP traffic will be blocked, like destination ureachable replies from a router if a host is down or if a certain port is closed. It will also break your ability to ping other hosts (echo reply is ICMP) as well as more obscure stuff like MTU size determination. The sysctl option (/proc/sys/net/ipv4/icmp_echo_ignore_all) only applies to icmp echo requests and won't break other apps/protocols that use ICMP as well). So at least in this case, it's probably the more preferable option.

That being said, you can create an iptables rule that will filter strictly icmp echo requests. In that case the only real difference might be where in the network stack the packet is actually dropped. I'd imagine the sysctl option has the kernel drop it fairly close to the netiflter hook, so I don't think it would matter significantly (I haven't actually looked at that, so I can't say for sure tho). Overall, iptables will give you more flexibility in selectively implementing the filtering.

Last edited by Capt_Caveman; 01-03-2005 at 05:09 PM.
 
Old 01-04-2005, 06:00 AM   #10
nirav.jani
Member
 
Registered: Nov 2004
Location: Hyderabad, India
Distribution: Fedora Core - II, RedHat - 9
Posts: 45

Original Poster
Rep: Reputation: 15
Thanx guys, sounds good for me,
still I have one little question regarding to system control options, I would like to know that wheather they are flags or something else and where can I found details about it. ( Though they are self explenatory by their name )

Thanx once again for ur support
nj
 
Old 01-04-2005, 08:18 AM   #11
masand
Guru
 
Registered: May 2003
Location: INDIA
Distribution: Ubuntu, Solaris,CentOS
Posts: 5,522

Rep: Reputation: 58
what system control options u r talking about???

regards
 
Old 01-04-2005, 08:21 AM   #12
eantoranz
Senior Member
 
Registered: Apr 2003
Location: Colombia
Distribution: Kubuntu, Debian, Knoppix
Posts: 1,982
Blog Entries: 1

Rep: Reputation: 83
How about allowing ping requests going out from from your host and avoid ping requests coming in?

Code:
iptables -A INPUT -p icmp --icmp-type ! echo-request -j ACCEPT
 
Old 01-04-2005, 08:26 AM   #13
eantoranz
Senior Member
 
Registered: Apr 2003
Location: Colombia
Distribution: Kubuntu, Debian, Knoppix
Posts: 1,982
Blog Entries: 1

Rep: Reputation: 83
About the advantages of the two methods.... it's obvious to me that iptables allows more fine-grained control over the ICMP traffic you want to allow (or discard).

Both do avoid ping requests... even YOUR own requests, which under normal conditions is not desireable (well... I have never wanted to let go my ability to ping).

iptables can let you fine-tune traffic much better.

Last edited by eantoranz; 01-04-2005 at 08:28 AM.
 
Old 01-04-2005, 10:22 AM   #14
Capt_Caveman
Senior Member
 
Registered: Mar 2003
Distribution: Fedora
Posts: 3,658

Rep: Reputation: 57
Quote:
Originally posted by nirav.jani
Thanx guys, sounds good for me,
still I have one little question regarding to system control options, I would like to know that wheather they are flags or something else and where can I found details about it. ( Though they are self explenatory by their name )
This is a really good one:
http://ipsysctl-tutorial.frozentux.n...-tutorial.html
 
Old 01-04-2005, 10:35 AM   #15
Capt_Caveman
Senior Member
 
Registered: Mar 2003
Distribution: Fedora
Posts: 3,658

Rep: Reputation: 57
Quote:
Originally posted by eantoranz
How about allowing ping requests going out from from your host and avoid ping requests coming in?

Code:
iptables -A INPUT -p icmp --icmp-type ! echo-request -j ACCEPT
That solves the problem with ping, but IMO is too generous in allowing the other icmp types, several of which are often considered to be information leaks like icmp timestamp request. Personally I would just use a rule allowing ESTABLISHED,RELATED traffic. That will allow all the important ICMP error messages (destination unreachable, time exceeded) and also allows the reply based ICMP types (allows echo repy), but it will only allow those ICMP types if you've initiated the traffic first.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Strange Ping Issue - Can't ping localhost but can ping others on LAN code_slinger Linux - Networking 13 03-17-2011 02:47 AM
wlan problem - iwconfig looks good but can't ping koknat Linux - Wireless Networking 13 03-01-2005 07:16 PM
Can ping box to box thru router - good sign? toastermaker Linux - Networking 15 12-07-2003 12:00 AM
ping -f makes OpenBSD stop working ? markus1982 *BSD 2 05-25-2003 09:05 AM
Got good wirelesslink, cannot ping gateway bax Linux - Networking 0 01-13-2002 06:56 PM


All times are GMT -5. The time now is 10:44 AM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration