LinuxQuestions.org
Latest LQ Deal: Linux Power User Bundle
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Software
User Name
Password
Linux - Software This forum is for Software issues.
Having a problem installing a new program? Want to know which application is best for the job? Post your question in this forum.

Notices


Reply
  Search this Thread
Old 09-05-2003, 05:14 PM   #1
chrisknight
Member
 
Registered: Jan 2003
Location: ohio
Distribution: CentOS5.5, SmoothWall 3.0
Posts: 139

Rep: Reputation: 15
Question Configure Smoothwall to block ping?


How might I configure Smoothwall GPL to block/drop/ignore ICMP echo requests from the outside world?
 
Old 09-06-2003, 08:28 AM   #2
david_ross
Moderator
 
Registered: Mar 2003
Location: Scotland
Distribution: Slackware, RedHat, Debian
Posts: 12,047

Rep: Reputation: 66
Just login as root and run:
echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_all
 
Old 09-06-2003, 08:46 AM   #3
chrisknight
Member
 
Registered: Jan 2003
Location: ohio
Distribution: CentOS5.5, SmoothWall 3.0
Posts: 139

Original Poster
Rep: Reputation: 15
worked

I logged in as root.
navigated to /proc/sys/net/ipv4
then used jpico to change the value of icmp_echo_ignore_all
from 0 to 1

Thank you!!!
 
Old 09-06-2003, 04:45 PM   #4
chrisknight
Member
 
Registered: Jan 2003
Location: ohio
Distribution: CentOS5.5, SmoothWall 3.0
Posts: 139

Original Poster
Rep: Reputation: 15
..as I stated in the post above, it did work.
BUT,
Every time I reboot, the value is changed back to 0.
Should I write a bash script to run:
echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_all
at startup? That would be like putting a bandaid on it though.

Any one know why the value is changing back and how to stop it?
Ive change the value back and rebooted 3 times.

Hmmm...
 
Old 09-07-2003, 08:45 AM   #5
david_ross
Moderator
 
Registered: Mar 2003
Location: Scotland
Distribution: Slackware, RedHat, Debian
Posts: 12,047

Rep: Reputation: 66
Sorry I forgot that that would happen. Just put the echo command just below "#!/bin/bash" in:
/etc/rc.d/rc.netaddress.up
 
Old 09-07-2003, 09:00 AM   #6
chrisknight
Member
 
Registered: Jan 2003
Location: ohio
Distribution: CentOS5.5, SmoothWall 3.0
Posts: 139

Original Poster
Rep: Reputation: 15
Did:
jpico etc/rc.d/rc.netaddress.up

#!bin/sh
echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_all

Thank you!!! Works like a charm!
 
Old 09-09-2003, 06:01 PM   #7
chrisknight
Member
 
Registered: Jan 2003
Location: ohio
Distribution: CentOS5.5, SmoothWall 3.0
Posts: 139

Original Poster
Rep: Reputation: 15
I have tried to ping the heck out of smoothwall internally and externally and it times out everytime. Good right?!?

So why does my Smoothwall IDS Log keep filling up with "ICMP PING CyberKit 2.2 Windows" attacks from various IP's like 65.24.x.x, 65.25.x.x, & 65.27.x.x & more?
 
Old 09-09-2003, 06:54 PM   #8
bling bling
Member
 
Registered: Jun 2003
Location: Virginia
Distribution: Slackware/win xp soon to be LFS/win xp
Posts: 95

Rep: Reputation: 15
*watches the world go into bunkers*
This isn't a good sign when people are trying to bunker down this much.
It is just a ping dude. It isn't like you are going to crash everytime someone pings you.
 
Old 09-09-2003, 08:47 PM   #9
chrisknight
Member
 
Registered: Jan 2003
Location: ohio
Distribution: CentOS5.5, SmoothWall 3.0
Posts: 139

Original Poster
Rep: Reputation: 15
I have logged 151 IP's issuing the "ICMP PING CyberKit 2.2 Windows" "ping" just today! This looks like a worm knocking at my door.
So yes, "its just a ping dude", but why? To see if a possibly exploitable host is up? Probably. I wouldnít mind a few pings here & there but 151?!? Sounds automated.
 
Old 09-12-2003, 01:16 PM   #10
masonxinc
LQ Newbie
 
Registered: Sep 2003
Location: Greenville
Distribution: Ipcop/SuSE/BSD
Posts: 1

Rep: Reputation: 0
Smoothwall/IPcop

I am in the same boat with IPCOP and the suggestions posted above have been great. I have another related question. Is there a way to block only icmp pings to the external (red) interface but still allow them to the internal? Right now I have all icmp being dropped but would like to keep icmp connectivity internally.

Mason
 
Old 09-15-2003, 05:21 PM   #11
chrisknight
Member
 
Registered: Jan 2003
Location: ohio
Distribution: CentOS5.5, SmoothWall 3.0
Posts: 139

Original Poster
Rep: Reputation: 15
Heres what I found out on the freaking "ICMP PING CyberKit 2.2 Windows" issue.

Snort incorrectly detects hits from the Welchia worm (aka MSBlast.D, Lovsan.D, Nachi) as "ICMP PING CyberKit 2.2 Windows" hits.

Smoothwall is blocking this crap, as long as you are not forwarding port 135 you'll be ok, BUT, your d@mn logs keep filling up. (At lease it was a problem for me)
To stop Smoothwall from logging these hits on port 135,
edit /etc/rc.d/rc.firewall.up
After the line:
iptables -P OUTPUT ACCEPT
add this:
# drop hits from Blaster worm
iptables -A INPUT -p TCP -i $RED_DEV --dport 135 -s 0/0 -j DROP

This wasnt as big of a problem as the "ICMP PING CyberKit 2.2 Windows" filling up my logs though.
To stop Snort from logging these hits, edit /usr/local/lib/snort/icmp.rules
and comment out the line relating to CyberKit (line 29 in 2b5).
you comment out like this:

# this is a comment

To clear the Snort logs, do this:
echo > /var/log/snort/alert
rm -Rf /var/log/snort/*.*.*.*

To clear the firewall logs, do this:
echo > /var/log/messages

To clear old snort & firewall logs, do this:
rm -f /var/log/messages.*
rm -f /var/log/snort/alert.*
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
block ping and ssh varun_saa Mandriva 1 02-08-2005 07:08 AM
block ping Ammad Linux - Security 1 01-13-2005 02:52 PM
How to block ping on win98 m/c ? emailssent General 1 10-19-2004 07:27 AM
How to Block ping into my m/c ?? emailssent Linux - Networking 3 10-19-2004 06:47 AM
Block access by ip address on Smoothwall. chrisknight Linux - Software 6 09-21-2003 09:57 AM


All times are GMT -5. The time now is 10:48 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration