223 lines
8.7 KiB
HTML
223 lines
8.7 KiB
HTML
<!--startcut ======================================================= -->
|
|
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2//EN">
|
|
<html>
|
|
<head>
|
|
<META NAME="generator" CONTENT="lgazmail v1.3C.j">
|
|
<TITLE>The Answer Guy 52: Shutting Down the "ping Daemon"</TITLE>
|
|
</HEAD><BODY BGCOLOR="#FFFFFF" TEXT="#000000"
|
|
LINK="#3366FF" VLINK="#A000A0">
|
|
<!-- ::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: -->
|
|
<H4>"The Linux Gazette...<I>making Linux just a little more fun!</I>"</H4>
|
|
<P> <hr> <P>
|
|
<!-- ::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: -->
|
|
<center>
|
|
<H1><A NAME="answer">
|
|
<img src="../../gx/dennis/qbubble.gif" alt="(?)"
|
|
border="0" align="middle">
|
|
<font color="#B03060">The Answer Guy</font>
|
|
<img src="../../gx/dennis/bbubble.gif" alt="(!)"
|
|
border="0" align="middle">
|
|
</A></H1>
|
|
<BR>
|
|
<H4>By James T. Dennis,
|
|
<a href="mailto:linux-questions-only@ssc.com">linux-questions-only@ssc.com</a><BR>
|
|
LinuxCare,
|
|
<A HREF="http://www.linuxcare.com/">http://www.linuxcare.com/</A>
|
|
</H4>
|
|
</center>
|
|
|
|
<p><hr><p>
|
|
<!-- endcut ======================================================= -->
|
|
<!-- begin 12 -->
|
|
<H3 align="left"><img src="../../gx/dennis/qbubble.gif"
|
|
height="50" width="60" alt="(?) " border="0"
|
|
>Shutting Down the "ping Daemon"</H3>
|
|
|
|
|
|
<p><strong>From Adrian on Tue, 21 Mar 2000
|
|
</strong></p>
|
|
<!-- ::
|
|
Shutting Down the "ping Daemon"
|
|
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
|
|
:: -->
|
|
<P><STRONG>
|
|
Hello,
|
|
</STRONG></P>
|
|
<P><STRONG>
|
|
I was just wondering how I could shutdown the ping daemon.
|
|
I have looked in <tt>inetd.conf</tt> and most of the other startup
|
|
scripts..yet no avail. Can you help?
|
|
</STRONG></P>
|
|
<P><STRONG>
|
|
Thanks.
|
|
</STRONG></P>
|
|
<BLOCKQUOTE><IMG SRC="../../gx/dennis/bbub.gif" ALT="(!)"
|
|
HEIGHT="28" WIDTH="50" BORDER="0"
|
|
>
|
|
I presume you want to prevent your system from responding
|
|
to a '<tt>ping</tt>' command.
|
|
</BLOCKQUOTE>
|
|
<BLOCKQUOTE>
|
|
The '<tt>ping</tt>' command generates "ICMP echo request" packets
|
|
(ICMP is the "internet control messaging protocol"). There
|
|
is no daemon that generates the ICMP echo replies. Those are
|
|
generated by your kernel.
|
|
</BLOCKQUOTE>
|
|
<BLOCKQUOTE>
|
|
To prevent your system from responding to them you could simply
|
|
use <tt>ipfwadm</tt> or <tt>ipchains</tt>
|
|
--- adding a rule to your Linux kernel's
|
|
packet filtering tables. Obviously you must have the
|
|
corresponding kernel features enabled (most recent distributions
|
|
ship with ipfwadm/ipchains features enabled, so this is a
|
|
no-brainer for most of us).
|
|
</BLOCKQUOTE>
|
|
<BLOCKQUOTE>
|
|
Here's a rule to prevent your system from sending ICMP echo
|
|
replies:
|
|
</BLOCKQUOTE>
|
|
<BLOCKQUOTE><BLOCKQUOTE><CODE>
|
|
ipchains -A output -p icmp --icmp-type pong -j DENY
|
|
</CODE></BLOCKQUOTE></BLOCKQUOTE>
|
|
<BLOCKQUOTE>
|
|
(Note: Rusty seems to have included a pun/alias here ---
|
|
"<tt>pong</tt>" can be used instead of the longer "echo-reply" keyword
|
|
option to the <TT>--icmp-type</TT> switch).
|
|
</BLOCKQUOTE>
|
|
<BLOCKQUOTE>
|
|
This particular example requires a 2.2 kernel. 2.0 kernels
|
|
use the ipfwadm command something like:
|
|
</BLOCKQUOTE>
|
|
<BLOCKQUOTE><BLOCKQUOTE><CODE>
|
|
ipfwadm -I -a deny -P icmp -S 0.0.0.0/0 0
|
|
</CODE></BLOCKQUOTE></BLOCKQUOTE>
|
|
<BLOCKQUOTE>
|
|
This is a bit more cryptic. The <TT>-P</TT> icmp sets the protocol,
|
|
which modifies the way that the <TT>-S</TT> (source address) pattern
|
|
is interpreted. Normally a source address pattern for ipfwadm
|
|
consists of a "dotted quad" network or host number, optionally
|
|
followed by a "/ significant bits" modifier and optionally
|
|
followed by a list of ports (TCP or UDP, according to the
|
|
protocol). However, when the protocol is ICMP the this last
|
|
component of the address pattern is interpreted as a numeric ICMP
|
|
type.
|
|
</BLOCKQUOTE>
|
|
<BLOCKQUOTE>
|
|
According to RFC 792 (the "request for comments" document that
|
|
covers the "Internet Control Message Protocol") the echo reply
|
|
ICMP packet is of type 8. According to the '<tt>ipfwadm</tt>' man page
|
|
the ICMP type can only be used with the <TT>-S</TT> option, it can't be
|
|
used with <TT>-D</TT> (destination) address patterns.
|
|
</BLOCKQUOTE>
|
|
<BLOCKQUOTE>
|
|
Anyway, it's not necessary a good idea to block ICMP echo
|
|
replies and it's definitely a BAD idea to blindly block all ICMP
|
|
traffic. (In particular blocking things like "destination
|
|
unreachable" and "fragmentation needed when DF option set" will
|
|
cause problems for your systems when they are trying to
|
|
engage in legitimate TCP/IP communications).
|
|
</BLOCKQUOTE>
|
|
<BLOCKQUOTE>
|
|
I really suggest reading the IPChains HOWTO (perhaps starting
|
|
with a "serious example":
|
|
</BLOCKQUOTE>
|
|
<BLOCKQUOTE><BLOCKQuote>
|
|
<A HREF="http://www.linux.org/help/ldp/howto/IPCHAINS-HOWTO-7.html"
|
|
>http://www.linux.org/help/ldp/howto/IPCHAINS-HOWTO-7.html</A>
|
|
</BLOCKQuote></BLOCKQUOTE>
|
|
<BLOCKQUOTE>
|
|
... before you implement any of these rules.
|
|
</BLOCKQUOTE>
|
|
<BLOCKQUOTE>
|
|
Incidentally, note that IPChains will probably be phased out
|
|
of future kernels in favor of the Netfilter (IPTables)
|
|
architecture that's now being integrated into 2.3.x for
|
|
inclusion into 2.4. Hopefully this will settle down the
|
|
kernel packet filtering code for awhile.
|
|
</BLOCKQUOTE>
|
|
<BLOCKQUOTE>
|
|
Over the years we've gone through ipfw (1.2), ipfwadm (2.0),
|
|
ipchains (2.2) and now iptables/ipnatctl (2.4). These have each
|
|
been major improvements over the last. However -- it is a bit of
|
|
a disruption for us poor sysadmins in the field. Luckily
|
|
netfilter supports a modular approach allowing the actual
|
|
filtering to be down by ipfwadm or ipchains "compatibility"
|
|
modules. Hopefully the future enhancements and netfilter modules
|
|
can be deployed without much disruption to those who need to
|
|
upgrade a kernel for reasons other than their packet filters.
|
|
</BLOCKQUOTE>
|
|
|
|
<!-- sig -->
|
|
|
|
|
|
<!-- end 12 -->
|
|
<!--startcut ======================================================= -->
|
|
<P> <hr> <P>
|
|
<H5 align="center"><a href="http://www.linuxgazette.com/copying.html"
|
|
>Copyright ©</a> 2000, James T. Dennis
|
|
<BR>Published in <I>The Linux Gazette</I> Issue 52 April 2000</H5>
|
|
<H6 ALIGN="center">HTML transformation by
|
|
<A HREF="mailto:star@tuxtops.com">Heather Stern</a> of
|
|
Tuxtops, Inc.,
|
|
<A HREF="http://www.tuxtops.com/">http://www.tuxtops.com/</A>
|
|
</H6>
|
|
<P> <hr> <P>
|
|
<!-- begin tagnav ::::::::::::::::::::::::::::::::::::::::::::::::::-->
|
|
<TABLE WIDTH="95%"><TR VALIGN="center" ALIGN="center">
|
|
<TD colspan="2" rowspan="2"><A
|
|
HREF="../lg_answer52.html"
|
|
><IMG SRC="../../gx/dennis/answernew.gif"
|
|
ALT="[ Answer Guy Current Index ]"></A>
|
|
<TD colspan="2" rowspan="2"><A
|
|
HREF="../../tag/kb.html"
|
|
><IMG SRC="../../gx/dennis/answertoc.gif"
|
|
ALT="[ Index of Past Answers ]"></A></td>
|
|
<TD WIDTH="11%"><A HREF="../lg_answer52.html#greeting"><img
|
|
src="../../gx/dennis/smily.gif" alt="greetings" border="0"></A></TD>
|
|
<TD WIDTH="11%"><A HREF="1.html">1</A></TD>
|
|
<TD WIDTH="11%"><A HREF="2.html">2</A></TD>
|
|
<TD WIDTH="11%"><A HREF="3.html">3</A></TD>
|
|
<TD WIDTH="11%"><A HREF="4.html">4</A></TD>
|
|
</TR><TR VALIGN="center" ALIGN="center">
|
|
<TD WIDTH="11%"><A HREF="5.html">5</A></TD>
|
|
<TD WIDTH="11%"><A HREF="6.html">6</A></TD>
|
|
<TD WIDTH="11%"><A HREF="7.html">7</A></TD>
|
|
<TD WIDTH="11%"><A HREF="8.html">8</A></TD>
|
|
<TD WIDTH="11%"><A HREF="9.html">9</A></TD>
|
|
</TR><TR VALIGN="center" ALIGN="center">
|
|
<TD WIDTH="10%"><A HREF="10.html">10</A></TD>
|
|
<TD WIDTH="10%"><A HREF="11.html">11</A></TD>
|
|
<TD WIDTH="10%"><A HREF="12.html">12</A></TD>
|
|
<TD WIDTH="10%"><A HREF="13.html">13</A></TD>
|
|
<TD WIDTH="11%"><A HREF="14.html">14</A></TD>
|
|
<TD WIDTH="11%"><A HREF="15.html">15</A></TD>
|
|
<TD WIDTH="11%"><A HREF="16.html">16</A></TD>
|
|
<TD WIDTH="11%"><A HREF="17.html">17</A></TD>
|
|
</TR><TR VALIGN="center" ALIGN="center">
|
|
<TD WIDTH="10%"><A HREF="18.html">18</A></TD>
|
|
<TD WIDTH="10%"><A HREF="19.html">19</A></TD>
|
|
<TD WIDTH="10%"><A HREF="20.html">20</A></TD>
|
|
<TD WIDTH="10%"><A HREF="21.html">21</A></TD>
|
|
<TD WIDTH="11%"><A HREF="22.html">22</A></TD>
|
|
<TD WIDTH="11%"><A HREF="23.html">23</A></TD>
|
|
<TD WIDTH="11%"><A HREF="24.html">24</A></TD>
|
|
</TR></TABLE>
|
|
<!-- end tagnav ::::::::::::::::::::::::::::::::::::::::::::::::::::-->
|
|
<P> <hr> <P>
|
|
<!-- begin lgnav ::::::::::::::::::::::::::::::::::::::::::::::::::: -->
|
|
<A HREF="../index.html"
|
|
><IMG SRC="../../gx/indexnew.gif" ALT="[ Table Of Contents ]"></A>
|
|
<A HREF="../../index.html"
|
|
><IMG SRC="../../gx/homenew.gif" ALT="[ Front Page ]"></A>
|
|
<A HREF="../lg_bytes52.html"
|
|
><IMG SRC="../../gx/back2.gif" ALT="[ Previous Section ]"></A>
|
|
<A HREF="../../faq/index.html"
|
|
><IMG SRC="../../gx/dennis/faq.gif"
|
|
ALT="[ Linux Gazette FAQ ]"></A>
|
|
<A HREF="../lg_tips52.html"
|
|
><IMG SRC="../../gx/fwd.gif" ALT="[ Next Section ]"></A>
|
|
<!-- end lgnav ::::::::::::::::::::::::::::::::::::::::::::::::::::: -->
|
|
<!-- ::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: -->
|
|
</BODY></HTML>
|
|
<!--endcut ========================================================= -->
|