Topic: Block Ping packets

[jason]

How can I disable ICMP ping or ICMP altogether on the SME 5.6U4 server?  Due to various viruses running rampant especially Welchia/Nachi, the server crawls from all the pinging it receives for forwarding and to itself.  So basically I just need to disable the clients who are infected from pinging the SME and through the SME.  I have searched and searched the forums and haven't found any thing specific on disabling ping.  Any help will be much appreciated.  Thank you.

[Klaus Eckert]

you cannot disable the answer to a ping, because it is a basically operation-system feature.
the only you can try is to disable *all* answers to those client which punch your server.

good luck.

cheers klaus

[Tyrone Miles]

Check out this post.

http://forums.contribs.org/index.php?topic=18263.msg71677#msg71677

[RayG]

I never did get any responce to that post and havn't found any answers on my own.

I ended up disabling the snort rule that was logging the virus related ping traffic. That has improved server performance by reducing snort's processing. But it isn't really a good solution because the pings are still being replied to and that invites additional traffic from the infected machine.

[jason]

Thanks Tyrone for the post.  I've been out sick these past couple of days.

I read the post that you suggested before I posted knowing how annoying it is for people to post without searching first.  I did as that post suggested by modifying the masq templates, but unfortuntely that only blocked pinging to the interfaces of the e-smith.  The clients can still ping through the e-smith (smeserver) thus causing a huge load on the CPU and bringing our T-1 down.  

Originally I had our clients going through a M$ ISA server.  I know, I know it's Microsoft.  When the welchia worm hit the ISA server's CPU was 100% the entire time until I would unplug the infected node.  Then I decided to use NetBoz (a free, simple FreeBSD CD-based firewall) thinking that it would stop it.  It didn't either.  Once I disabled the ping feature on the NetBoz everything works great.  I would stick with the NetBoz, but since it is CD-based I can't add any monitoring to it.  So that's why I'm trying to use the SME server.  

So if anyone could help me to figure out how to disable pinging through and to the sme server I would still appreciate it.  Thanks.

[Tyrone Miles]

Have you looked at clark connect. They have a product that is similar to e-smith but the firewall product has a detailed configuration interface.

That or IP cop or Smoothwall.

http://www.clarkconnect.org/

http://www.ipcop.org/cgi-bin/twiki/view/IPCop/WebHome

http://smoothwall.org/

[jason]

Thanks Tyrone for the links.

It seems like the Smoothwall would work, but it seems that all these distributions allow everything by default rather than only enabling the ports you need.  Thanks again for the help.

[Tyrone Miles]

Yea those three are designed for people who know a little about firewalls and want to start from scratch locking things down. That way you can make your own custom configurations.  

Being that Smoothwall and IP Cop are stand alone firewalls there is no way they could know what you need untill you configure the firewall and tell it what you are running (Unlike e-smith which has the firewall rules set based on the services you have on the server)

[jason]

Have you seen the NetBoz?  It seems to do it very simply.  Of course opening new ports that aren't built-in to the system are a little tricky, but at least I can start with just what I want and then add more later.  Thanks again Tyrone.

[Tyrone Miles]

Thanks for the info bro. Netboz seems NICE. and I love the CD rom idea.