limit on ping?

limit on ping?

Post by Tim Hayne » Sun, 09 Dec 2001 06:31:39




> I have noted that many of the admins on this news group drop
> echo-requests, but I find there is sometimes a need to have ping
> working....

Yes; you can break PMTU discovery if you're not careful.

Quote:> Is using limit, like the example below, a good compromise? or am I asking
> for trouble?

> iptables -A INPUT -i eth0 -p icmp --icmp-type echo-request -m limit
> --limit 4/second -j ACCEPT

It's a reasonable idea; you can also stick `400' in
/proc/sys/net/ipv4/icmp_ratelimit; try that with
        ping
        ping -i 3
        ping -i 4
        ping -i 5
and see what happens.

~Tim
--

(seen during a recent, >y2000, installation)|http://spodzone.org.uk/

 
 
 

limit on ping?

Post by Ian Jone » Sun, 09 Dec 2001 07:58:18


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


>> I have noted that many of the admins on this news group drop
>> echo-requests, but I find there is sometimes a need to have ping
>> working....

> Yes; you can break PMTU discovery if you're not careful.

Don't the OSes that use large ICMP for PMTU discovery have a fall-back
mechanism? We are talking about older AIX and HPUX, right?

Quote:>> Is using limit, like the example below, a good compromise? or am I asking
>> for trouble?

Are you by any chance trying to enable _outgoing_ echo requests? You can do
that without allowing echo requests inbound.

-----BEGIN PGP SIGNATURE-----
Comment: Keeping the world safe for geeks.

iD8DBQE8EUmKwBVKl/Nci0oRAjInAKDekQb31xqt7HsnH5+NIEdQbYPRRQCfefPP
en5ebeLFkeEBi4h7wRbQmy0=
=0Eyb
-----END PGP SIGNATURE-----

 
 
 

limit on ping?

Post by Tim Hayne » Sun, 09 Dec 2001 08:25:12



> > Yes; you can break PMTU discovery if you're not careful.

> Don't the OSes that use large ICMP for PMTU discovery have a fall-back
> mechanism? We are talking about older AIX and HPUX, right?

I think the fall-back mechanism is the wond'rously complex `just don't
bother' approach.

Then again, some of PMTU confuses me anyway; why don't I see vast hordes of
large icmp 8/0 packets in my firewall logs, one for each host I contact?

~Tim
--

Sinking suns on a sea of thrills            |http://spodzone.org.uk/

 
 
 

limit on ping?

Post by Hal Burgis » Sun, 09 Dec 2001 08:40:47


On 07 Dec 2001 23:25:12 +0000, Tim Haynes


> Then again, some of PMTU confuses me anyway; why don't I see vast
> hordes of large icmp 8/0 packets in my firewall logs, one for each
> host I contact?

Actually PMTU uses 3/0 Destination Unreachable, so if you allow that
(probably a good idea), you wouldn't see it:

http://www.cis.ohio-state.edu/cgi-bin/rfc/rfc2923.html:

 Classification
 Non-interoperation -- connectivity failure

Description
 A host performs Path MTU Discovery by sending out as large a packet as
 possible, with the Don't Fragment (DF) bit set in the IP header. If the
 packet is too large for a router to forward on to a particular link, the
 router must send an ICMP Destination Unreachable -- Fragmentation Needed
 message to the source address. The host then adjusts the packet size
 based on the ICMP message.

Description
 A host performs Path MTU Discovery by sending out as large a packet
 as possible, with the Don't Fragment (DF) bit set in the IP header. If
 the packet is too large for a router to forward on to a particular link,
 the router must send an ICMP Destination Unreachable -- Fragmentation
 Needed message to the source address. The host then adjusts the packet
 size based on the ICMP message.

==================

You could probably test this by setting MTU > 1500.

--
Hal Burgiss

 
 
 

limit on ping?

Post by Ian Jone » Sun, 09 Dec 2001 09:10:26


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


>> > Yes; you can break PMTU discovery if you're not careful.

>> Don't the OSes that use large ICMP for PMTU discovery have a fall-back
>> mechanism? We are talking about older AIX and HPUX, right?

> I think the fall-back mechanism is the wond'rously complex `just don't
> bother' approach.

> Then again, some of PMTU confuses me anyway; why don't I see vast hordes of
> large icmp 8/0 packets in my firewall logs, one for each host I contact?

I don't think very many OSs use the large ICMP thing. It is (IMMHO) a
Bad Idea[tm] to begin with. With TCP connections, for example, we have
MSS (Maximum Segment Size) in the TCP options. This is now the default
for win and lin boxes.

For example, this just came in:
15:59:38.369629 64.65.61.142.3989 > xx.xx.xx.xx.111: S 2892768663:2892768663(0)
win 32120 <mss 1460,sackOK,timestamp 35171513[|tcp]> (DF) (ttl 50, id 25816, len 60)

0x0010   xxxx xxxx 0f95 006f ac6c 2597 0000 0000        xxxx...o.l%.....
0x0020   a002 7d78 4361 0000 0204 05b4 0402 080a        ..}xCa..........
0x0030   0218 acb9 0000                                 ......

Despite the fact that it was a scan for portmapper (gee, pick a random
packet for example's sake and wouldn't you know it we have a probe :),
you can see that the DF flag was set so a route could fire back a
frag-needed icmp if it was needed (or didn't want to listen to the
options), but in the TCP options you see that the mss for the sender
is 1460.

A UDP data stream would need to rely on the old frag-needed ICMP to
find the MTU. Because of paranoid people like us, MTU discovery is
becoming more and more broken all the time as ICMP is more and more
considered to be a bad thing to allow.

-----BEGIN PGP SIGNATURE-----
Comment: Keeping the world safe for geeks.

iD8DBQE8EVpuwBVKl/Nci0oRAieTAJ90Hwh/s4ztEUGIB3gG2LHjcISz3ACgpeeF
nZwbHSDOVrIJz6F62X4F79M=
=GfvX
-----END PGP SIGNATURE-----

 
 
 

limit on ping?

Post by Ian Jone » Sun, 09 Dec 2001 09:40:01


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


>> Then again, some of PMTU confuses me anyway; why don't I see vast
>> hordes of large icmp 8/0 packets in my firewall logs, one for each
>> host I contact?

> Actually PMTU uses 3/0 Destination Unreachable, so if you allow that
> (probably a good idea), you wouldn't see it:

That is 3/4 (type three, code four).
The real problem is that most (paranoid) admins restrict outgoing
Dest.Unreach errors to prevent mapping of policies and services.

-----BEGIN PGP SIGNATURE-----
Comment: Keeping the world safe for geeks.

iD8DBQE8EWFhwBVKl/Nci0oRAt6YAJkBvVH5D3Z95JwfSH3gAxQ6PgaougCgw7ih
4rNGPaXuuMKq+SgBZUw3rns=
=3Ex4
-----END PGP SIGNATURE-----

 
 
 

1. A pings B, B pings C, C cannot ping A

In our small network, we have several w9x clients, a w2k server and a
linux server. To date, integration of these has been going ok. However,
today, we brought up some clients that cannot ping to the linux server
(all of this by IP address), but they can ping to the w2k server, which
are physically next to each other, and connect to the same switch. There
have been no problems with communication between the linux system, w2k
system and other computers on site. The clients use dhcp on the w2k
server to get their ip addresses. The only issues that I can think of at
this time is that the problem systems are on the longest runs from the
hub, which appear to be a little over the 100m line, and the linux and
w2k units (probably) have different nics. Can anybody out there shed
some light on this situation?

Thanks,

Sent via Deja.com
http://www.deja.com/

2. XF86-3.3.2 & nxterm

3. ICMP Allow pings but limited amount

4. SVM and a "formatting" hot spare

5. icmp ping response limited

6. virtual /dev

7. ping localhost fails; ping 127.0.0.1 works

8. SUMMARY- input overrun(s)

9. Can ping "localhost" but can't ping my own IP...why?

10. ping <ipv6-host> does not work, ping <ipv6-ip> does

11. ping localhost -> OK, ping myhost -> dies

12. Can't ping local host but can ping others

13. cannot ping internal network (ping operation not permitted)