Koozali.org: home of the SME Server
  1. Koozali.org: home of the SME Server
  2. Legacy Forums
  3. Experienced User Forum
  4. Topic: ping the server
« previous next »
Pages: [1]   Go Down

ping the server

  • 7 Replies
  • 854 Views

frank schulz

ping the server
« on: November 08, 2001, 06:31:33 PM »
i have installed sme server 5 and it works fine, i can manage the server over http and ssh, but i can't ping the server from any workstation. Why ?
Logged

Chris O'Donovan

Re: ping the server
« Reply #1 on: November 09, 2001, 03:07:14 AM »
Are the machines on the same subnet? Some routers are configured not to allow pings to pass through them.

More details of your network setup would be helpful.

Chris
Logged

Luckydog

Re: ping the server
« Reply #2 on: November 09, 2001, 06:59:31 AM »
From what I can see E-Smith v5 is designed to not allow incoming ICMP.
This is  popularly used to decrease a servers visibility.

In my E-Smith v5.0 setup, my internal network is 10.1.1.x

In /etc/rc.d/init.d/masq I can see the following rules:

    /sbin/ipchains --append output -p icmp --source 10.1.1.0/255.255.255.0 --destination 0.0.0.0/0 -j ACCEPT
    /sbin/ipchains --append icmpIn --jump denylog
    /sbin/ipchains --append icmpOut --jump denylog

This appears to allow pings from within the private network to get out, but
pings into E-Smith from any source get ignored.

Since my E-Smith machine is 10.1.1.1, the following rule will allow it to be pinged:

/sbin/ipchains --insert input -p icmp --source 10.1.1.0/255.255.255.0 --destination 10.1.1.1 -j ACCEPT
Logged

frank schulz

Re: ping the server
« Reply #3 on: November 09, 2001, 10:45:34 AM »
Hallo, all the machines get their adresses via dhcp from the server, they are in the same subnet, the server has the adress 192.168.19.1 the machines are in the range 192.168.19.66-192.168.19.240. The dhcp works correctly and i can ping between the clients. Telnet to 192.168.19.1 also works.
Logged

frank schulz

Re: ping the server
« Reply #4 on: November 09, 2001, 10:51:04 AM »
Thanks for this info, i think that is the solution. In e-smith 4.12 this was not implemented, pinging the server was allowed.
Logged

Luckydog

Re: ping the server
« Reply #5 on: November 09, 2001, 11:49:58 AM »
There is much debate in the firewall community about the value of denying ICMP.

Regardless denying appears to be the direction that the E-smith developers took.

If you choose to use this command to allow pings, you should build a custom
template fragment to implement this.
You could put it in rc.local but I found masq restarts for all sorts of reasons and your rc.local changes will be lost till the next reboot.

To reverse the effect of the copy change the word 'insert' to the word 'delete'.
Logged

Terry Brummell

Re: ping the server
« Reply #6 on: November 09, 2001, 02:00:07 PM »
My bone stock SME v5 box allows me to ping it from the internal interface side.  Guess that throws that idea out the window!

Terry

frank schulz wrote:
>
> Thanks for this info, i think that is the solution. In
> e-smith 4.12 this was not implemented, pinging the server was
> allowed.
Logged

Luckydog

Re: ping the server
« Reply #7 on: November 10, 2001, 06:02:54 AM »
On install you have the choice of a Private or a Public Gateway.
I wonder if you chose to be 'Public' then you are pingable, and private you are not....
Logged
Pages: [1]   Go Up
« previous next »
  1. Koozali.org: home of the SME Server
  2. Legacy Forums
  3. Experienced User Forum
  4. Topic: ping the server