Topic: PING response stealth mode

[Robert Harlow]

A Server-Manager panel option to kill the SME box's willingness to respond to ping requests from the outside interface ie put it into some sort of stealth mode. This should be designed so as not to interfere with the ping requirement for the production of the System Monitor addon's gateway graphs for packet loss and latency.

best wishes, Robert

[Michael Soulier]

Robert Harlow wrote:
>
> A Server-Manager panel option to kill the SME box's
> willingness to respond to ping requests from the outside
> interface ie put it into some sort of stealth mode. This
> should be designed so as not to interfere with the ping
> requirement for the production of the System Monitor addon's
> gateway graphs for packet loss and latency.

That's what Private Server-Gateway mode is for.

Mike

[Robert Harlow]

It doesn't work out that way here Mike;~/ Maybe it should I grant you but it doesn't on my SME5.6u4 server/gateway box. I have a large number of *private* options set for it but nothing in the server-manager panel (or similar) that kills the response ping AND retains the production of the System Monitor gateway graphs. Does your enigmatic one-liner imply that this feature exists already? If it does I would be grateful if you would point it out to me - perhaps in one of the forums rather than on this Wishlist .

best wishes, Robert

[Michael Soulier]

Robert Harlow wrote:
>
> It doesn't work out that way here Mike;~/ Maybe it should I
> grant you but it doesn't on my SME5.6u4 server/gateway box. I
> have a large number of *private* options set for it but
> nothing in the server-manager panel (or similar) that kills
> the response ping AND retains the production of the System
> Monitor gateway graphs.

So how does the system monitor work? If it relies on icmp, it seems difficult to block icmp and yet let it through.

Mike

[Robert Harlow]

Mike

But I didn't ask for that functionality. I asked for the ping responses to incoming icmp ping requests to be killed, whilst allowing outgoing ping requests (from the system monitor). My box needs a setting that stops it being so damn helpful to these unrelenting incoming (worm-driven) icmp ping requests.

Are you going to help me and clearly identify this *Private Server Gateway* which you indicated earlier as being the answer to my wishlist thread?

best wishes, Robert

[Charlie Brady]

Robert Harlow wrote:

> Does your enigmatic one-liner imply
> that this feature exists already?

References to "Private Server and Gateway mode" should not seem enigmatic to you if you've read the documentation kindly provided by Mitel:

http://edocs.mitel.com/6000_SME_Server/6000_MAS_rls5.6/\
Tech_Handbook_html_EN/operationmode.html#option2

Charlie

[Charlie Brady]

Robert Harlow wrote:

> But I didn't ask for that functionality. I asked for the ping
> responses to incoming icmp ping requests to be killed, whilst
> allowing outgoing ping requests (from the system monitor).

Yes, that's what Private Server and Gateway mode provides.

> My  box needs a setting that stops it being so damn helpful to
> these unrelenting incoming (worm-driven) icmp ping requests.

Note that regardless of what your firewall does, those pings have already wasted your bandwidth. You could ask your ISP to block them before they are sent over your link (although I'd suggest you use a milder tone than you have used here).

Charlie

[Robert Harlow]

Charlie

Your CLEAR assistance is most sincerely appreciated. One line enigmatic allusions aren't. Sorry about that, I am only human. I had read that bit two years ago but I'd forgotten about that paragraph as, two years, I had no conception or understanding about what it meant. Now two years later I do understand what it means.

I think that that link (unwrapped)...
http://edocs.mitel.com/6000_SME_Server/6000_MAS_rls5.6/Tech_Handbook_html_EN/operationmode.html#option2
...means I cannot obtain this functionality without wiping the server and rebuilding everything all over again in Option 2 (Private Server Gateway).

So, effectively, until I can rebuild I am still looking for a wishlist item as above to retrofit this functionality:-)

best wishes, Robert

[Robert Harlow]

Mike

Sorry about my brusque retort to your one liner.

Robert

[Robert Harlow]

>> My box needs a setting that stops it being so damn helpful to
>> these unrelenting incoming (worm-driven) icmp ping requests.

>Note that regardless of what your firewall does, those pings have
>already wasted your bandwidth. You could ask your ISP to block them
>before they are sent over your link (although I'd suggest you use a
>milder tone than you have used here).

Charles

I apologise for the apparently unwarranted inclusion of the obscenity of *damn* in my text. It was merely a figure of speech and my use of the term was in the emphasis mode and not in a derogatory fashion.

Yes, Charles, those incoming pings have wasted my bandwidth already but there is no need for my box to further the waste with a ping response. It was for that I was looking.

My ISP cannot block the pings. None of us here have a conventional ISP. The broadband provider gives us the whole pipe's bandwidth and we all share it dynamically. I was attempting to take a position of responsibility trying to address the ping problem so that others could do so similarly on our broadband. I think I need to time-table a complete rebuild as soon as possible.

Meanwhile Ray's wonderful patch is working magnificently. See thread...
http://forums.contribs.org/index.php?topic=18665.msg73531#msg73531

best wishes, Robert

[Charlie Brady]

Robert Harlow wrote:
 
> Your CLEAR assistance is most sincerely appreciated. One line
> enigmatic allusions aren't.

One line enigmatic allusions are usually a hint for you to do more homework. Google and other search tools are your friends.

A good hint is worth more than nothing (and cost more than nothing to give). IMO it's rude of you to criticise a gift because it was not the gift you wanted.

> I think that that link (unwrapped)...
> http://edocs.mitel.com/6000_SME_Server/6000_MAS_rls5.6/Tech_Handbook_html_EN/operationmode.html#option2
> ...means I cannot obtain this functionality without wiping
> the server and rebuilding everything all over again in Option
> 2 (Private Server Gateway).

No, you can choose the configure option in the main console menu.

Charlie

[Robert Harlow]

Charlie

>One line enigmatic allusions are usually a hint for you to do more homework.
They can be tough on dyslexics, even diligent dyslexics.

>A good hint is worth more than nothing (and cost more than nothing
>to give). IMO it's rude of you to criticise a gift because it was not the
>gift you wanted.
I didn't value the hint as being nothing, that's an unfair interpretation, but I fully agree with the rest of your assertion. The problem arose through my initial faulty interpretation of the short one liner as being patronisingly enigmatic. That's the problem with short one liners, there's so little information embedded that it's often easy to get the wrong idea. I'm sorry but I'm just human and I get it wrong - sometimes a lot, sometimes a little;~/

This is verging off-thread and I must apologise to the WishList moderator for being the unwitting subject of that divergence. I will attempt a console move into Option 2 and so my wishlist item can be withdrawn!

Note to self: one liner (clear) response to original thread posting...
Use main console to reload into Private Server Gateway (option 2) to achieve requested PING response stealth mode.

best wishes, Robert

[Robert Harlow]

Mmmm, that was interesting... thank you Charlie. Certainly fooled me. It was funny though, I can take a joke - even with dyslexia. The box locked up really tightly using Option 2 Private Server Gateway. The GRC test site couldn't raise a peep out of it. Nor could anyone around the village out of either of its two websites, the local newspaper couldn't retrieve any pictures from my online picture gallery and those daft webots from Inktomi and Google got flat noses bumping into the new brickwall. I have returned my box to Option 1 Server Gateway mode, just as I built it two years ago.

And I reconstitute my WishList item for a PING response stealth mode that allows System Monitor to produce its gateway packet loss and latency graphs... without the box losing my village's websites and my beloved picture gallery site.

Ray's wonderful patch is still the best thing, in icmp ping response addon technology, since sliced bread.

best wishes, Robert

[Charlie Brady]

Robert Harlow wrote:

> The box locked up really tightly using Option 2
> Private Server Gateway. The GRC test site couldn't raise a
> peep out of it. Nor could anyone around the village out of
> either of its two websites, the local newspaper couldn't
> retrieve any pictures from my online picture gallery and
> those daft webots from Inktomi and Google got flat noses
> bumping into the new brickwall.

This should be no suprise to you, since the documentation which you have recently re-read says:

    The web server is not visible to anyone outside of the local network.

> I have returned my box to
> Option 1 Server Gateway mode, just as I built it two years ago.

And just as it should be. Private Server Gateway mode is designed if you have no public services - for example, you are an average law abiding cable customer and don't run a web server and don't want anyone connecting to you. It's not for you.

> Ray's wonderful patch is still the best thing, in icmp ping response addon technology, since
> sliced bread.

Then you have what you need.

Charlie

[Robert Harlow]

>>This should be no suprise to you, since the documentation
>>which you have recently re-read says:
>>The web server is not visible to anyone outside of the local network.

You don't seem to understand what dyslexia does to words some of the thyme...
http://www.dyslexia.com/

For instance I've only just realised that both you and Mike are apparently from Mitel itself. I have always held the SME product and its makers in high esteem - not least because of its Open Source status.

>>And just as it should be. Private Server Gateway mode is designed
>>if you have no public services - for example, you are an average law
>>abiding cable customer and don't run a web server and don't want >>anyone connecting to you. It's not for you.

I know it's not for me and I didn't opt for it two years ago. You and Mike kept on suggesting it as the solution to my WishList thread so I went ahead. I then slowly worked out what was happening and assumed you and Mike pointed me that way for a laugh. Despite being the butt of this joke I have an excellent sense of humour and have written the exercise off against good experience.

>>Ray's wonderful patch is still the best thing, in icmp ping
>>response addon technology, since sliced bread.
>Then you have what you need.

No I don't have what I need. And I don't have what I want. It seems like I can't get to ask for it either - even on a ***WishList*** request forum.

Ray's wonderful patch only drops my box's *response* to a specifically sized icmp ping request (92bytes) corresponding to a specific worm-driven icmp ping problem. And to keep the ACID logs quiet I/we are forced to disable ACID's config line for a type of icmp packet (well, I think that's what that bit did), which is effectively putting one's head in the sand over that particular aspect to the issue.

I certainly do -not- have a stealth mode yet running for icmp ping requests/responses whilst allowing System Monitor to function correctly and with the new condition of keeping the village's websites alive and my picture gallery site running. Ray's patch just helps stop the ACID logs filling up with noise.

My WishList item stands...  *in request mode*!

(it's gone 1:30am - g'night)

best wishes, Robert