Topic: Where do I top up my box with more PINGs...

[Robert Harlow]

...as the darned thing has sent out so many recently that it surely must be running out;~/

SME5.6u4 server/gateway - staticIP - rural wireless broadband

Have Guardian/Snort/ACID on board now, the number of foreign countries using/abusing my pinger is, frankly, ludicrous. I am unable to get the combo to block the icmp pinger fraternity. Yes, it does block the occasional scan and IDA idiocy etc etc. But it never takes any action to quell the persistent pingers:-(

I have been attempting to turn OFF the ping responder but still maintain whatever ping functionality that System Monitor needs to produce its gateway charts. The production of particular chart is an absolute necessity.

Searching the database has revealed nothing edifying. The nearest I get is an inappropriate spiel on the use of ipchains and DENY. For some unknown reason my box does not like the ipchains command or the DENY attribute but laps up the iptables command and DROP attribute. Please tailor any advice accordingly!

Have tried the following to quash my box's unfortunate propensity to be ingratiatingly helpful to all my Dutch, Israeli, Russian, French or Romanian incoming/probing ping requests...

/sbin/iptables -A INPUT --destination mystaticIP/32 --protocol icmp --icmp-type echo-request -j DROP -i eth1

...but seemingly this is ineffective. So I have also tried (permanently) blocking the IPs of the most persistent offenders, the never-let-up zombie that ACID keeps identifying, using...

/sbin/iptables -A INPUT -t filter -j DROP -s zombieIP

...but an hour later I see the same damn IPs appearing on the ACID report lines:-|

Why can't I get my SME box to quit responding to probing pings?

best wishes, Robert

[Dan Brown]

Your box doesn't like ipchains because it's running a 2.4 series kernel.  ipchains belonged to 2.2.

A quick google search of "iptables block icmp" came up with a page that looks helpful:

http://www.linuxquestions.org/questions/archive/4/2002/06/2/22708

[Robert Harlow]

VERY helpful Dan, had not thought that Google would have a SME-compatible workaround:-) Have undone my existing icmp-type command line using -D and now having a go with those four ACCEPT clauses and the associated jump clause. Will advise results dreckly...

best wishes, Robert

[Robert Harlow]

ACID report lines seem a *bit* more sparse than I have seen of late, probably need a bit more time to evaluate. There's one ICMP PING CyberKit 2.2 Windows line listed, perhaps the report was in a buffer somewhere or something.

Absolute disaster for the System Monitor's gateway (packet loss and latency), it looks completely knackered and wholly unusable. The production of the gateway packet loss and latency graphs is pretty much a necessity here:-|

best wishes, Robert

[RayG]

SME 5.6 uses iptables instead of ipchains. The INPUT table routes incoming icmp traffic to the icmpIn table.

You can get a better idea of what pings are coming in with:

iptables -L icmpIn -v                   (that's a capital "L" and lower case "v")

That will show the number of packets and bytes for each of the incoming icmp types the machine is set up to handle.

You can see what your outbound icmp traffic looks like with:

iptables -L icmpOut -v


I have made a small mod to my masq configuration to DROP the Cyberkit 2.2 pings but leave the rest of icmp in tact. The Cyberkit pings are somewhat unique in that they are 92 bytes long and that makes them easy to filter based on length. If the pings used by your reporting package are unique enough, you will be able to pass them while blocking all other pings.

A more detailed description of the traffic your trying to stop would be helpfull in tailoring a solution.

[Robert Harlow]

Ray

With your command lines I see...
icmpIn 10MB echo-reply
icmpOut 12MB echo-request

Simplistically I would like to silence my box from responding to any ping requests whether they be benign or intrusive/probing. Would like all the error lines in ACID to be sporadic ie normal? instead of all these (apparent) alarm line entries. My box is not mainstream. It does not have to support all this ping activity that is going on!

Co-incidently the broadband guys have just *done something*. Earlier they were intending to install a new/spare router. Now all hell seems to have broken loose.

I will have to return to the earlier test in due course as even though I've normalised those iptables lines my System Monitor's gateway packet loss and latency graphs are still a disaster and my connectivity is distinctly strange and iffy. Shades of bedlam at the moment. I picked a very bad time to mess with server iptables:-|

best wishes, Robert

[RayG]

The joy of doing things the "e-smith way" is that you can simply delete your custom templates, rebuild the config file, and your back to factory defaults. Annoying system that I curse on a regular basis but it's saved my bacon on many occasions.

I'm not sure you can kill icmp completely and still get proper reporting from your bandwidth/latency monitor.

[Robert Harlow]

The broadband engineers have finished faffing about (for the moment) and I'm finally back in service.

That disasterous looking System Monitor gateway graph (packet loss/latency) was actually the portent of the broadband *episode* and not anything to do with the command lines that I had just input:-) Those five lines are now running once again and the graph is (seemingly) as it ought  to be... Progress!

Too soon to say whether it (alone) stops my ever-persistent pests' pings. It certainly hasn't stopped all the incoming ping requests, still have *ICMP PING CyberKit 2.2 Windows* logging lines appearing in ACID.

Now trying the echo 1/0 idea promulgated in Dan's Google-sourced reference... and, nope, still getting report lines in ACID:~/

So, even both ideas running concurrently, my ACID logs still report these pointless ping requests and my box still wastes its resources responding. The only winners appear to be the pests getting their rocks off receiving ping responses from my box...(!?) What have I to do to stop this foolishness...

best wishes, Robert

[Robert Harlow]

Ray, you mentioned a minor mod to masq to specifically drop Cyberkit pings... Is this something I can attempt...? The absolute majority of the logging lines are listed as *ICMP PING CyberKit 2.2 Windows*.

best wishes, Robert

[RayG]

This is what I did to block the "Cyberkit 2.2" pings that are being generated by worm infected computers. I had posted a less detailed version looking for comments from those more experienced but didn't get any responce. None of this is original thinking. I've just compiled a LOT of reading into a masq modification done the e-smith way. Comments, suggestions, and flames are all welcom.

This mod requires an iptables module that was not included with version 1.2.5-3 used in SME 5.6. The module is included in the previuos version so I located and downloaded a copy of
iptables-1.2.5-2.i386.rpm. Once this rpm is on your SME box, use Midnight Commander to extract just /lib/iptables/libipt_length.so and copy it to the hard drive at /lib/iptables/libipt_length.so. Midnight Commander will let you browse and copy files in an rpm the same as you do in the rest of the file system.

If you havn't already, create a custom template directory for masq
    mkdir -p /etc/e-smith/templates-custom/etc/rc.d/init.d/masq

Copy the icmpin template fragment to the appropriate custom template directory
    cp /etc/e-smith/templates/etc/rc.d/init.d/masq/40AllowICMPIn /etc/e-smith/templates-custom/etc/rc.d/init.d/masq/40AllowICMPIn

Edit the custom template fragment
    pico /etc/e-smith/templates-custom/etc/rc.d/init.d/masq/40AllowICMPIn

Down about line 25 it says "foreach my $icmpType (@OKicmpTypes)".
Just above that line add the following as a single line:
    $OUT .= "\n    /sbin/iptables --append icmpIn --proto icmp --icmp-type echo-request --in-interface \$OUTERIF -m length --length 92 --jump DROP\n\n";

I also added a comment explaining the new rule because my memory isn't quite what it used to be
    $OUT .= "\n    # Rule added to block incoming pings from the Nachi/Welchia worm\n";

Save the file

Rebuild the masq configuration file
    /sbin/e-smith/expand-template /etc/rc.d/init.d/masq

Restart masq
    service masq restart

Snort will still detect the incoming "Cyberkit 2.2 pings" but you can stop that by commenting out the Cyberkit detection rule in /etc/snort/icmp.rules down about line 29. Restart snort with "service snortd restart". You can verify the 92 byte pings are being dropped with "iptables -L icmpIn -v" and you can verify your server is not responding to them with "iptables -L icmpOut -v". You will likely still see a few echo requests and replies as the point of this hack is to dull the worms roar without breaking icmp completely. At the time of this writing I have 42,705 dropped 92 byte echo requests and just 84 accepted echo requests. And the expected 84 echo replies of course.

[Robert Harlow]

Ray

All this looks really good but I can't replicate your initial step;~/

I already have the CD of the previous version of SME (5.5) but it does not seem to have the module you quoted.

Indeed SME-5.5 hasn't even got iptables but ipchains... something I picked up from Dan (due to kernel change). Please would you check your paragraph relating to the starting conditions ie that special module and its whereabouts?

Have tried rpmfinder but have drawn a blank there and their UK-based mirror seems unavailable at the moment.

So, a bit stumped. Currently downloading all the RH7.2 iso files in the hope that it is embedded in those editions...

best wishes, Robert

[Robert Harlow]

Downloaded both RH7.7 iso files - F3/view  in MC and then F7/search for the string libipt_length.so but found nothing.

Then tried the RH9 iso files and the F7/search string threw up a hit in the first iso file, so it may be worth my while bringing forward the burning of those iso files into CDs:-) Assuming this is successful do you forsee a problem using that library file ie from a more modern distribution?

best wishes, Robert

[RayG]

Sorry for the confusion. I meant the previous version of iptables. Google for iptables-1.2.5-2.i386.rpm and you should find several places to download from.

As far as I can tell, the dash versions are mostly just bug fixes so I figured there wouldn't be much harm in trying a module from a distribution that was just one dash rev lower. Iptables does complain if if you try to load a module from a different decimal rev like iptables-1.2.8 for example.

A better solution would be to compile libipt_length.so from the iptables-1.2.5-3.src.rpm but that's a bit beyond my abilities right now.

[Robert Harlow]

Ray

It's taken me all day to give up searching for a way for MC to extract that file from the rpm. I have also now d/l all three redhat-9 iso files and both redhat-7.2 files. Found an appropriate iptables area on the 1st disc of the RH9 set but think that it is too modern - as per your comment. Finally I found another way to extract the using a command line thing called rpm2cpio.

I have followed the rest of your instructions. After the point where masq restarts I get the following reported...

-----------------------------------------
[root@nas600 masq]#  service masq restart

Shutting down IP masquerade and firewall rules:         Done!

Enabling IP masquerading: iptables v1.2.5: Unknown arg --icmp-type'
Try iptables -h' or 'iptables --help' for more information.
/etc/init.d/masq: echo-request: command not found
/etc/init.d/masq: DROP: command not found
/etc/init.d/masq: worm: command not found
done
[root@nas600 masq]#
-----------------------------------------

Any comments?

best wishes, Robert

[Charlie Brady]

Robert Harlow wrote:

> Enabling IP masquerading: iptables v1.2.5: Unknown arg
> --icmp-type'

This usually means that you have "--icmp-type xxx" without a preceding "--protocol icmp".

From "man iptables":

   icmp
       This extension is loaded if --protocol icmp' is specified.  It provides
        the following option:

       --icmp-type [!] typename
              This allows specification of the ICMP type, which can be a
              numeric ICMP type, or one of  the
              ICMP type names shown by the command
               iptables -p icmp -h

Charlie

[RayG]

Wow.

Looks like masq is severly broken.

The only clue I can pick up is the line about "worm: command not found". Assuming that's part of of the comment line, there are some problems with your editing. What did you use to edit the /etc/e-smith/templates-custom/etc/rc.d/init.d/masq/40AllowICMPIn file ?

I would recomend you delete /etc/e-smith/templates-custom/etc/rc.d/init.d/masq/40AllowICMPIn and rebuild/restart masq. If that doesn't get you back to a working configuration then you probably broke something trying to extract that library. If you did break masq, you can probably recover by reinstalling /e-smith/RPMS/iptables-1.2.5-3.i386.rpm from the e-smith install CD and e-smith-ipmasq-1.8.2-01.noarch.rpm from the Update 5 release.

[Robert Harlow]

mmmm;~/

Your instructions wrote *--proto icmp*. Is that OK, should it have been *--protocol icmp*? Perhaps that might explain part of the warning.

I edited with pico, viewed with mc, and worked with putty.

I extracted the library from site derived from Google...
http://www.wesmo.com/redhat/i386/
...and using rpm2cpio as I have been unable to work out how to do this *simple* browse/copy procedure in mc, presumably I am too much of a dolt.

My box is on SME5.6u4... I never did go to u5.

I am beginning to wish I'd not started on this trek. It would be far simpler to simply ignore everything that ACID/Snort displayed - for all the good this is doing me.

best wishes, Robert

[Robert Harlow]

I've been around once again, this time I left out your comment line stuff. The following was reported...

[root@nas600 masq]#  /sbin/e-smith/expand-template /etc/rc.d/init.d/masq
[root@nas600 masq]#  service masq restart

Shutting down IP masquerade and firewall rules:         Done!

Enabling IP masquerading: /etc/init.d/masq: --jump: command not found
/etc/init.d/masq: DROP: command not found
done
[root@nas600 masq]#

I am still using the . Earlier I ran everything but had forgotten to copy over that file to its required working area and there were initial errors. These errors disappeared after putting the library file in its proper place, so I would hazard a guess that that file 'apparently' works.

 Yes, masq is quite probably up the pole. I have attempted to utilise a number of procedures that I have found - both on this forum and on the internet. Not a single one of them has made an iota of a difference to main target , indeed most of them have had an immediate detrimental effect. I think this accumulation of programming detritus is likely to be bad news, probably worse than looking at myriads of asinine worm-driven ICMP echo requests and responses.

Looks like I'm going to be better off finding the filler cap for the PING tank and topping the box up with a few more litres of PING responses and leaving things at that.

I will follow your suggested recovery procedure now.

best wishes, Robert

[Robert Harlow]

Updated the iptables and masq rpms from my archives using --force.
(that masq version of yours was in Update 4 so I went with it)
Have normalised the Snort rules file entry.
I assume that I am (safely) back to square 1 now.

Still can't single file extract from rpms using mc either directly on the server's keyboard or via my usual workstation and putty. Baffling.

best wishes, Robert

[RayG]

I'm glad to hear you got your box back in working order.

Putty and Midnight Commander are a great combination. You can navigate with the up/down arrow keys and make selections with the enter key. The tab key switches between active pannels. You can also use the mouse but I'm told that doesn't always work as expected.

The facility in MC that lets you work with rpm's is called "Virtual File System" or VFS. There's decent help built into Midnight Commander.

Get into MC and navigate to the rpm you want to extract a file out of in the left pannel. In this case it will be iptables-1.2.5-2.i386.rpm. Hit the enter key over the rpm and MC will "open" the rpm and show you the directory structure inside. Navigate down to the /lib directory and hit enter. From there, select the /iptables directory and hit enter again. In the /iptables directory, navigate down to libipt_length.so. Use the tab key to switch to the right pannel and navigate to the location you want the exptracted file placed. Hit the tab key again to get back to the left pannel. Make sure libipt_length.co is still selected and hit the F5 key. This will open the copy dialog. Select OK and the file will be copied to the destination you selected in the right pannel.

[Charlie Brady]

Robert Harlow wrote:

> Still can't single file extract from rpms using mc either
> directly on the server's keyboard or via my usual workstation
> and putty. Baffling.

It's very unlikely to be wise for you to be trying to extract a single file from an RPM. I wouldn't do it, if I were you.

If you really need ipt_length.so, just install latest RH 7.3 iptables update RPM.

Charlie

[Charlie Brady]

Robert Harlow wrote:

> My box is on SME5.6u4... I never did go to u5.

That's unlikely to be wise either (but not as unwise as still using 5.5 or earlier).

Worrying about Intrusion Detection Systems while not applying necessary updates just doesn't make any sense at all.

Charlie

[Robert Harlow]

Ray

Yes, well I hope the box is back in working order:-) Now I have virgin iptables and masq I will attempt to put into play what you suggested. Will advise results presently.

Ref: mc being able to extract single files from rpms (apparently)...
What you said is exactly what I have been doing. And, yes, I have viewed the extensive help albeit in its tiny onscreen box. The bit where you press ENTER, while the rpms is highlighted, is where it goes awry. Also I have tried using the CR key and the ENTER key. Pressing enter does NOT reveal a pseudo filing directory (!whatever that might be). I get a blink of the screen but not a lot else. When I exit mc I see that mc had attempted to invoke the rpm - judging by the error message. This occurs using mc via w2k/putty and also via the server's own keyboard. I don't remember seeing anything to do with VFS ever working hereabouts.

best wishes, Robert

[Robert Harlow]

Charlie

Noted. I don't normally attempt this sort of thing (single files out of rpms). Getting desperate I think;~/ I'd like SOMETHING that's added on to work - preferably flawlessly - and am always prepared to work at it!

Will find and download your suggestion, I am somewhat averse to picking up files from the great unwashed internet - much rather do it from recognised sources.

best wishes, Robert

[Robert Harlow]

Charlie

I updated my box from SME 5.5 a long time ago. My box is sitting at SME 5.6 update 4 at the moment. I thought update 5 was just for some VPN stuff and, as I don't possess a portable or need to call home from the field, I passed on update 5.

Just as soon as Mitel badge SME6.0 as *unsupported* I will almost certainly update. If I have the energy I will try to burn my existing wacky iteration of SME5.6 and rebuild SME6.0 from scratch.

best wishes, Robert

[Robert Harlow]

Ray

As you know I now have virgin iptables and masq.
This time took the libipt_length.so file out of RH9's iptables, itself from RedHat's site, and then copied it to /lib/iptables/ (using rpm2cpio as my mc does not appear to be playing the ball and allowing me to extract single files from rpms)
Copied the fragment, pico'd in your single line, saved out.
Expanded masq and restarted masq.
Usual/same error stuff transpired...
------------
[root@nas600 rpms]#  /sbin/e-smith/expand-template /etc/rc.d/init.d/masq
[root@nas600 rpms]#  service masq restart

Shutting down IP masquerade and firewall rules:         Done!

Enabling IP masquerading: iptables v1.2.5: Unknown arg --icmp-type'
Try iptables -h' or 'iptables --help' for more information.
/etc/init.d/masq: echo-request: command not found
/etc/init.d/masq: DROP: command not found
done
[root@nas600 rpms]# mc
------------

Any ideas?

best wishes, Robert

[Robert Harlow]

Ray

Just in case... the contents of my pico-edited fragment 40AllowICMPIn.


-----------
{
    use esmith::NetworksDB;

    # We want to be very selective on the ICMPs we accept to stop
    # route hijacking

    my @OKicmpTypes = (
      qw(
          echo-request
          echo-reply
          destination-unreachable
          source-quench
          time-exceeded
          parameter-problem
      ) );

    my $stealth = $masq{Stealth} || 'no';
    if ($stealth eq 'yes')
    {
   $OUT .= <    /sbin/iptables --append icmpIn --proto icmp --icmp-type echo-request --in-interface \$OUTERIF --jump denylog
HERE
    }
    $OUT .= "\n /sbin/iptables --append icmpIn --proto icmp --icmp-type
echo-request --in-interface \$OUTERIF -m length --length 92 --jump
DROP\n\n";
    foreach my $icmpType (@OKicmpTypes)
    {
        $OUT .= <    /sbin/iptables --append icmpIn --proto icmp --icmp-type $icmpType --jump ACCEPT
HERE
    }
}
-----------

Anything you need to clear this up?

best wishes, Robert

[Robert Harlow]

Think I see a problem... it looks like there is an embedded CR/LF in that inserted line inherited from the copy/paste. Standby while I rerun and make sure.

best wishes, Robert

[Robert Harlow]

Yes, there is/was an unwanted CR/LF in the inserted copy/paste;~/
At least I get a new error this time around...

-----------
[root@nas600 root]#  /sbin/e-smith/expand-template /etc/rc.d/init.d/masq
[root@nas600 root]#  service masq restart

Shutting down IP masquerade and firewall rules:         Done!

Enabling IP masquerading: iptables: match length' v1.2.7a (I'm v1.2.5).
/etc/init.d/masq: DROP: command not found
done
[root@nas600 root]#
-----------

....which you just about promised me I'd get if I used a too modern version of the libipt_length.so file. Standby while I track down an older version and rpm2cpio the time (I'm getting used to this now!).

best wishes, Robert

[Robert Harlow]

Cured the match length error by having to use the libipt_length.so file derived from a file iptables-1.2.5-2.i386.rpm pulled from the great unwashed as the RedHat site does not list it as being available in their seachbox.

FINALLY got the edit completed, proof follows!...
-----------------------
[root@nas600 masq]#  /sbin/e-smith/expand-template /etc/rc.d/init.d/masq
[root@nas600 masq]#  service masq restart

Shutting down IP masquerade and firewall rules:         Done!

Enabling IP masquerading: done
[root@nas600 masq]#
-----------------------

Something was inserting a wrapping CR/LF. Not sure what, but I think it was pico as I seemed to have to persuade it to show the whole line in one without screen-wrapping.
 
Have edited snort's icmp.rules config file as you instructed and restarted snort. Now monitoring the command line queries of and . Will append results in due course:-)

Phew... THIS ONE MIGHT WORK! Amazing - thanks Ray:-))

best wishes, Robert

[Robert Harlow]

Starting conditions...

--------------------------------
[root@nas600 snort]# iptables -L icmpIn -v
Chain icmpIn (1 references)
 pkts bytes target     prot opt in     out     source               destination
    1    92 DROP       icmp --  eth1   any     anywhere             anywhere           icmp echo-request length 92
    0     0 ACCEPT     icmp --  any    any     anywhere             anywhere           icmp echo-request
  260 21840 ACCEPT     icmp --  any    any     anywhere             anywhere           icmp echo-reply
    0     0 ACCEPT     icmp --  any    any     anywhere             anywhere           icmp destination-unreachable
    0     0 ACCEPT     icmp --  any    any     anywhere             anywhere           icmp source-quench
    0     0 ACCEPT     icmp --  any    any     anywhere             anywhere           icmp time-exceeded
    0     0 ACCEPT     icmp --  any    any     anywhere             anywhere           icmp parameter-problem
    0     0 denylog    all  --  any    any     anywhere             anywhere
[root@nas600 snort]# iptables -L icmpOut -v
Chain icmpOut (1 references)
 pkts bytes target     prot opt in     out     source               destination
  260 21840 ACCEPT     icmp --  any    any     anywhere             anywhere           icmp echo-request
    0     0 ACCEPT     icmp --  any    any     anywhere             anywhere           icmp echo-reply
    0     0 ACCEPT     icmp --  any    any     anywhere             anywhere           icmp destination-unreachable
    0     0 ACCEPT     icmp --  any    any     anywhere             anywhere           icmp source-quench
    0     0 ACCEPT     icmp --  any    any     anywhere             anywhere           icmp time-exceeded
    0     0 ACCEPT     icmp --  any    any     anywhere             anywhere           icmp parameter-problem
    0     0 denylog    all  --  any    any     anywhere             anywhere
--------------------------------

best wishes, Robert

[RayG]

Robert
    Glad to hear you have things working now. It looks like the majority of your icmp traffic is FROM your server ? Is your latency/bandwidth monitor responsible for all that pinging ?

Pico has tried to line wrap for me a couple times. Annoying but not a big deal if you pay attention to it.

I'm not sure what the deal is with Midnight Commander on your end. Maybe just an older version ?


Charlie
    Thanks for the comments. I posted in an earlier thread asking for the most recent version of iptables for SME 5.6 but got no responce. I downloaded the latest iptables update for RedHat 7.3 as you mentioned. It does contain a compiled version of the length module but it's iptables-1.2.8. When I try to install, it complains that kernel-2.4.20 is required. SME 5.6 uses the 2.4.18 kernel as far as I can tell.

[Robert Harlow]

Ray

It's more than working Ray. It's working really darned well, my thanks:-)

Since completion I've had but a single ICMP alarm line logged (MISC Large ICMP Packet) when normally I'd be looking over a page or two of that other stuff. The other 92byte stuff appears to be clocking up nicely...

------------------------
Sun 05 Oct 2003 11:07:41 PM BST  0.486627 seconds
[root@nas600 snort]# iptables -L icmpIn -v
Chain icmpIn (1 references)
 pkts bytes target     prot opt in     out     source               destination
   54  4968 DROP       icmp --  eth1   any     anywhere             anywhere           icmp echo-request length 92
   18  2895 ACCEPT     icmp --  any    any     anywhere             anywhere           icmp echo-request
 9758  820K ACCEPT     icmp --  any    any     anywhere             anywhere           icmp echo-reply
    6  1233 ACCEPT     icmp --  any    any     anywhere             anywhere           icmp destination-unreachable
    0     0 ACCEPT     icmp --  any    any     anywhere             anywhere           icmp source-quench
    0     0 ACCEPT     icmp --  any    any     anywhere             anywhere           icmp time-exceeded
    0     0 ACCEPT     icmp --  any    any     anywhere             anywhere           icmp parameter-problem
    0     0 denylog    all  --  any    any     anywhere             anywhere
[root@nas600 snort]# iptables -L icmpOut -v
Chain icmpOut (1 references)
 pkts bytes target     prot opt in     out     source               destination
11718  984K ACCEPT     icmp --  any    any     anywhere             anywhere           icmp echo-request
   18  2895 ACCEPT     icmp --  any    any     anywhere             anywhere           icmp echo-reply
    6  1233 ACCEPT     icmp --  any    any     anywhere             anywhere           icmp destination-unreachable
    0     0 ACCEPT     icmp --  any    any     anywhere             anywhere           icmp source-quench
    0     0 ACCEPT     icmp --  any    any     anywhere             anywhere           icmp time-exceeded
    0     0 ACCEPT     icmp --  any    any     anywhere             anywhere           icmp parameter-problem
    0     0 denylog    all  --  any    any     anywhere             anywhere
------------------------

...and, as for the outgoing totals, they must all be for (ShadLord's) System Monitor as I don't routinely use pings. The System Monitor is left running/displaying permanently our rural wireless communal network broadband's gateway. There's are some very good (local) reasons for doing this.

As always, System Monitor uselessly floods my server-manager's httpd/admin_error_log with a page or two of senseless programming orientated (?) errors - every few minutes when it updates - but otherwise it does an absolutely sterling job. At one time the size of its 90MB log exceeded the total of the displayed photographs in my online gallery, but I'm now overtaking the size of that particular log! Shame about all its logging errors though, I haven't managed to arouse any interest in curing them at all;~/

Have a permanent taskbar iteration of Mozilla 1.5rc2 running continuously with a group of four tags open...
a) SME server-manager | logs | httpd/error_log)
b) http://www.dnsstuff.com/ for immediately checking the bogie IPs in the spamming lists
c) SME server-manager | system-monitor | gateway | hourly-detail (packet loss/latency)
d) ACID

The required gateway graphs continue to be produced and are seemingly unaffected by your excellent modifications that wonderfully side-step the zombie-like, worm driven, ICMP ping requests - as per the requirements of my thread! Well done Ray:-)) I think your work should be made into a HOWTO.

best wishes, Robert