Server stopping pings

Discussion in 'Networking, Telephony & Internet' started by foxmulder881, Jun 30, 2012.

  1. foxmulder881

    foxmulder881 Member

    Joined:
    Nov 17, 2004
    Messages:
    5,884
    Location:
    Gold Coast, QLD OS:Linux
    I'm curious as to how a server can stop another system pinging it.
     
  2. Rezin

    Rezin Member

    Joined:
    Oct 27, 2002
    Messages:
    9,490
    Firewall...
     
  3. OP
    OP
    foxmulder881

    foxmulder881 Member

    Joined:
    Nov 17, 2004
    Messages:
    5,884
    Location:
    Gold Coast, QLD OS:Linux
    But I thought you'd still be able to ping a certain IP address? Am I wrong? Especially if I can see that it is there.
     
  4. bugayev

    bugayev Whammy!

    Joined:
    May 15, 2003
    Messages:
    4,093
    Location:
    Melbourne
    If the device refuses to respond to an ICMP ping request, then it'll timeout each request.

    Yes, you're wrong.
     
    Last edited: Jun 30, 2012
  5. BAK

    BAK Member

    Joined:
    Jan 7, 2005
    Messages:
    1,214
    Location:
    MornPen, VIC
    Configure the firewall to block ICMP traffic (ICMP, not IGMP as stated above) either incoming if you want to stop the server responding to pings, or outgoing if you want people not to be able to ping other devices from it.
     
  6. bugayev

    bugayev Whammy!

    Joined:
    May 15, 2003
    Messages:
    4,093
    Location:
    Melbourne
    Fixed that! :)
     
  7. OP
    OP
    foxmulder881

    foxmulder881 Member

    Joined:
    Nov 17, 2004
    Messages:
    5,884
    Location:
    Gold Coast, QLD OS:Linux
    Thanks, that's exactly what I was wondering. Thanks again. :thumbup:
     
  8. IACSecurity

    IACSecurity Member

    Joined:
    Jul 11, 2008
    Messages:
    760
    Location:
    ork.sg
    If you typed your question into google, 3 of the first 5 links would have answered it.

    Gonna delete this response too Gords? Better to teach someone to fish that to provide them fish.
     
  9. gords

    gords Oh deer!

    Joined:
    Aug 3, 2001
    Messages:
    6,645
    Location:
    Sydney, Australia
    Yep, and better to be polite to someone than nasty. If you can't do it, don't post. And don't get your hair in a knot when someone calls you out on your incessant rudeness toward other members.
     
  10. Alper

    Alper Member

    Joined:
    Oct 8, 2005
    Messages:
    2,610
    Location:
    3060
    epic burn is epic

    i think the OP could of easily googled this but its good to see some educated ocau's jumped in fairly quickly.

    ocau - The Organic Google
     
  11. s3kemo

    s3kemo Member

    Joined:
    May 13, 2003
    Messages:
    5,889
    Location:
    in a house
    I'd rather a quieter forum full of quality threads than an active forum full of basic questions, easily answered by google or calling/emailing/contacting the provider of the service.

    Or if OP thinks (ho ho ho) it's an elementary question, it goes in Newbie Forum.

    Or a mod could just move them up there anyway.

    It removes any possibility someone might post a legitimate question if they see the forum full of basic questions, followed by the array of answers from all sorts that post around here. It just lowers the average, and it's not good for the forum, IMO.
     
  12. gords

    gords Oh deer!

    Joined:
    Aug 3, 2001
    Messages:
    6,645
    Location:
    Sydney, Australia
    The fact of the matter is that there are rules about being polite to other members, but there (generally) aren't rules about what threads can be created and what threads can't be. If you'd like to propose such an idea, the Site Discussion forum is here. Make sure you have a framework in place when someone asks the inevitable question relating to how much research is required before someone can start a thread on a topic.

    BTW, the rule about pointless posts is not about this topic. I know, I wrote them. If you disagree, read them again.


    Me enforcing the existing published rules and not rules that are made up by you and exist only in your head is not daft, in my opinion. You obviously think differently.


    I note that neither you, nor any of the posters whose unnecessary messages I deleted bothered to report the thread to have it moved to the Newbie Lounge. Nice work. Obviously the way to make OCAU better is to have people post nasty, impolite messages, have admins delete them because they're against the forum rules, then have the posters of said messages whinge and whine about their messages being deleted and then suggest something constructive.


    Wrong again. That rule was put in place because people were flaming in the Newbie Lounge. It doesn't mean that 'anything goes' in the rest of the forums. Here's an analogy: If your local council puts up "No dumping" signs at sites that typically attract illegal dumping, does it imply that anywhere there is not a "No dumping" sign, you're allowed to dump whatever you like there? (The answer is 'No'.)

    To avoid you assuming the wrong thing in future, I'll set it out plainly for your benefit and the benefit of others that are in your camp.

    Why your posts are deleted:
    Your nasty, arrogant, impolite, mocking, holier-than-thou posts are deleted because they come across as nasty, arrogant, impolite, mocking and holier-than-thou.

    Your options:
    • Post polite answers to questions.
    • Don't post at all. Better yet, don't even look at threads that are beneath you.
    • Whinge that this place is going down the drain while choosing to do absolutely nothing constructive of your own accord, eventually culminating in you posting in this thread, and thus reinforcing a somewhat accurate stereotype about elitist IT "professionals" who continually choose to behave in an unprofessional manner.

    I hope I've covered everything. Feel free to post in the Site Discussion forum if you think you've been hard done by, and I (or others) will try to explain it again. However, this thread isn't the place to continue discussion about your behaviour, so any further posts on that topic will be deleted.
     
  13. elvis

    elvis Old school old fool

    Joined:
    Jun 27, 2001
    Messages:
    43,983
    Location:
    Brisbane
    You want "drop", not "reject".

    "Reject" sends back a "host unreachable" statement, which ironically by default is ICMP. "Drop" simply drops the packet and does nothing further. Anything Internet-facing should use "drop", as it's easier to hide, and less likely to be abused in a DoS style attack.
     
  14. f3n1x

    f3n1x Member

    Joined:
    Mar 20, 2003
    Messages:
    1,704
    Location:
    Armadale, Melbourne
    It also better if you choose specific forms of ICMP to drop, wholesale dropping of "ICMP" causes transmission issues where fragmented packets are involved, because it uses ICMP to communicate information about mtu along the path, specifically you want to pass icmp type 3.
     
  15. elvis

    elvis Old school old fool

    Joined:
    Jun 27, 2001
    Messages:
    43,983
    Location:
    Brisbane
    On a controlled or shared services network, I'd agree. If it's Internet-facing, I just drop the lot and be done with it.
     
  16. f3n1x

    f3n1x Member

    Joined:
    Mar 20, 2003
    Messages:
    1,704
    Location:
    Armadale, Melbourne
    It's probably less needed on a controlled network that on the internet interface.

    When you block type 3 ICMP you're breaking this: Path MTU Discovery - Wikipedia, the free encyclopedia.

    95% of the time PMTUD is irrelevent, but if you connect to a remote host that's using for example a satellite connection or is using IPsec over a connection that uses PPPoE/A. (8 bits of PPP encap, and at least 96 bits of ESP header), using your network that drops all icmp, packets will go out, hit the target host, the target host sends back ICMP type 3 code 4 (Needs Fragmentation, Don't Fragment bit set), your host drops it and the client making the connection assumes a time out and gives up, but this will only happen for some packets, so some things will work some wont to the same host.

    But it's your network, and i'm sure we all do things that others would think not best practise.
     
    Last edited: Jul 2, 2012
  17. elvis

    elvis Old school old fool

    Joined:
    Jun 27, 2001
    Messages:
    43,983
    Location:
    Brisbane
    I had all sorts of dramas with PMTU just last week, in fact. I found setting a sensible MSS (MTU of the link minus 20*2) completely negated the need to deal with PMTU at all, and helped me fix a site that wanted to run jumbo frames on two sides of a WAN, but still have users mount shares (NFS and CIFS) across that same WAN.

    But that's by the by.
     
  18. evilasdeath

    evilasdeath Member

    Joined:
    Jul 24, 2004
    Messages:
    4,993
    To be honest its not really worth blocking.

    Anyone that has a malicious intend doesn't care whether you allow or block icmp

    It's not like some old school routers that you could crash with excessive amounts of icmp hitting the cpu could crash them.

    Ping (icmp echo request and reply) and traceroutes (icmp ttl exceeded) are both very useful in troubleshooting problems.
     
  19. biatch

    biatch Member

    Joined:
    Jun 18, 2002
    Messages:
    1,692
    Location:
    North Brisbane
    Blocking/dropping/rejecting ICMP is a pain in the ass. It's a useful protocol and necessary when trying to find problems.


    +1 to this.
    The Networking, Telephony & Internet forum on OCAU is barely needed. It has very very few relevant posts.
    As much as I hate to say it, whirlpool is a better place for network discussion than this forum.

    Threads like this one only contribute to the problem.
     

Share This Page

Advertisement: