Topic: PING response stealth mode

[Robert Harlow]

A Server-Manager panel option to kill the SME box's willingness to respond to ping requests from the outside interface ie put it into some sort of stealth mode. This should be designed so as not to interfere with the ping requirement for the production of the System Monitor addon's gateway graphs for packet loss and latency.

best wishes, Robert

[Michael Soulier]

Robert Harlow wrote:
>
> A Server-Manager panel option to kill the SME box's
> willingness to respond to ping requests from the outside
> interface ie put it into some sort of stealth mode. This
> should be designed so as not to interfere with the ping
> requirement for the production of the System Monitor addon's
> gateway graphs for packet loss and latency.

That's what Private Server-Gateway mode is for.

Mike

[Robert Harlow]

It doesn't work out that way here Mike;~/ Maybe it should I grant you but it doesn't on my SME5.6u4 server/gateway box. I have a large number of *private* options set for it but nothing in the server-manager panel (or similar) that kills the response ping AND retains the production of the System Monitor gateway graphs. Does your enigmatic one-liner imply that this feature exists already? If it does I would be grateful if you would point it out to me - perhaps in one of the forums rather than on this Wishlist .

best wishes, Robert

[Michael Soulier]

Robert Harlow wrote:
>
> It doesn't work out that way here Mike;~/ Maybe it should I
> grant you but it doesn't on my SME5.6u4 server/gateway box. I
> have a large number of *private* options set for it but
> nothing in the server-manager panel (or similar) that kills
> the response ping AND retains the production of the System
> Monitor gateway graphs.

So how does the system monitor work? If it relies on icmp, it seems difficult to block icmp and yet let it through.

Mike

[Robert Harlow]

Mike

But I didn't ask for that functionality. I asked for the ping responses to incoming icmp ping requests to be killed, whilst allowing outgoing ping requests (from the system monitor). My box needs a setting that stops it being so damn helpful to these unrelenting incoming (worm-driven) icmp ping requests.

Are you going to help me and clearly identify this *Private Server Gateway* which you indicated earlier as being the answer to my wishlist thread?

best wishes, Robert

[Charlie Brady]

Robert Harlow wrote:

> Does your enigmatic one-liner imply
> that this feature exists already?

References to "Private Server and Gateway mode" should not seem enigmatic to you if you've read the documentation kindly provided by Mitel:

http://edocs.mitel.com/6000_SME_Server/6000_MAS_rls5.6/\
Tech_Handbook_html_EN/operationmode.html#option2

Charlie

[Charlie Brady]

Robert Harlow wrote:

> But I didn't ask for that functionality. I asked for the ping
> responses to incoming icmp ping requests to be killed, whilst
> allowing outgoing ping requests (from the system monitor).

Yes, that's what Private Server and Gateway mode provides.

> My  box needs a setting that stops it being so damn helpful to
> these unrelenting incoming (worm-driven) icmp ping requests.

Note that regardless of what your firewall does, those pings have already wasted your bandwidth. You could ask your ISP to block them before they are sent over your link (although I'd suggest you use a milder tone than you have used here).

Charlie

[Robert Harlow]

Charlie

Your CLEAR assistance is most sincerely appreciated. One line enigmatic allusions aren't. Sorry about that, I am only human. I had read that bit two years ago but I'd forgotten about that paragraph as, two years, I had no conception or understanding about what it meant. Now two years later I do understand what it means.

I think that that link (unwrapped)...
http://edocs.mitel.com/6000_SME_Server/6000_MAS_rls5.6/Tech_Handbook_html_EN/operationmode.html#option2
...means I cannot obtain this functionality without wiping the server and rebuilding everything all over again in Option 2 (Private Server Gateway).

So, effectively, until I can rebuild I am still looking for a wishlist item as above to retrofit this functionality:-)

best wishes, Robert

[Robert Harlow]

Mike

Sorry about my brusque retort to your one liner.

Robert

[Robert Harlow]

>> My box needs a setting that stops it being so damn helpful to
>> these unrelenting incoming (worm-driven) icmp ping requests.

>Note that regardless of what your firewall does, those pings have
>already wasted your bandwidth. You could ask your ISP to block them
>before they are sent over your link (although I'd suggest you use a
>milder tone than you have used here).

Charles

I apologise for the apparently unwarranted inclusion of the obscenity of *damn* in my text. It was merely a figure of speech and my use of the term was in the emphasis mode and not in a derogatory fashion.

Yes, Charles, those incoming pings have wasted my bandwidth already but there is no need for my box to further the waste with a ping response. It was for that I was looking.

My ISP cannot block the pings. None of us here have a conventional ISP. The broadband provider gives us the whole pipe's bandwidth and we all share it dynamically. I was attempting to take a position of responsibility trying to address the ping problem so that others could do so similarly on our broadband. I think I need to time-table a complete rebuild as soon as possible.

Meanwhile Ray's wonderful patch is working magnificently. See thread...
http://forums.contribs.org/index.php?topic=18665.msg73531#msg73531

best wishes, Robert

[Charlie Brady]

Robert Harlow wrote:
 
> Your CLEAR assistance is most sincerely appreciated. One line
> enigmatic allusions aren't.

One line enigmatic allusions are usually a hint for you to do more homework. Google and other search tools are your friends.

A good hint is worth more than nothing (and cost more than nothing to give). IMO it's rude of you to criticise a gift because it was not the gift you wanted.

> I think that that link (unwrapped)...
> http://edocs.mitel.com/6000_SME_Server/6000_MAS_rls5.6/Tech_Handbook_html_EN/operationmode.html#option2
> ...means I cannot obtain this functionality without wiping
> the server and rebuilding everything all over again in Option
> 2 (Private Server Gateway).

No, you can choose the configure option in the main console menu.

Charlie

[Robert Harlow]

Charlie

>One line enigmatic allusions are usually a hint for you to do more homework.
They can be tough on dyslexics, even diligent dyslexics.

>A good hint is worth more than nothing (and cost more than nothing
>to give). IMO it's rude of you to criticise a gift because it was not the
>gift you wanted.
I didn't value the hint as being nothing, that's an unfair interpretation, but I fully agree with the rest of your assertion. The problem arose through my initial faulty interpretation of the short one liner as being patronisingly enigmatic. That's the problem with short one liners, there's so little information embedded that it's often easy to get the wrong idea. I'm sorry but I'm just human and I get it wrong - sometimes a lot, sometimes a little;~/

This is verging off-thread and I must apologise to the WishList moderator for being the unwitting subject of that divergence. I will attempt a console move into Option 2 and so my wishlist item can be withdrawn!

Note to self: one liner (clear) response to original thread posting...
Use main console to reload into Private Server Gateway (option 2) to achieve requested PING response stealth mode.

best wishes, Robert

[Robert Harlow]

Mmmm, that was interesting... thank you Charlie. Certainly fooled me. It was funny though, I can take a joke - even with dyslexia. The box locked up really tightly using Option 2 Private Server Gateway. The GRC test site couldn't raise a peep out of it. Nor could anyone around the village out of either of its two websites, the local newspaper couldn't retrieve any pictures from my online picture gallery and those daft webots from Inktomi and Google got flat noses bumping into the new brickwall. I have returned my box to Option 1 Server Gateway mode, just as I built it two years ago.

And I reconstitute my WishList item for a PING response stealth mode that allows System Monitor to produce its gateway packet loss and latency graphs... without the box losing my village's websites and my beloved picture gallery site.

Ray's wonderful patch is still the best thing, in icmp ping response addon technology, since sliced bread.

best wishes, Robert

[Charlie Brady]

Robert Harlow wrote:

> The box locked up really tightly using Option 2
> Private Server Gateway. The GRC test site couldn't raise a
> peep out of it. Nor could anyone around the village out of
> either of its two websites, the local newspaper couldn't
> retrieve any pictures from my online picture gallery and
> those daft webots from Inktomi and Google got flat noses
> bumping into the new brickwall.

This should be no suprise to you, since the documentation which you have recently re-read says:

    The web server is not visible to anyone outside of the local network.

> I have returned my box to
> Option 1 Server Gateway mode, just as I built it two years ago.

And just as it should be. Private Server Gateway mode is designed if you have no public services - for example, you are an average law abiding cable customer and don't run a web server and don't want anyone connecting to you. It's not for you.

> Ray's wonderful patch is still the best thing, in icmp ping response addon technology, since
> sliced bread.

Then you have what you need.

Charlie

[Robert Harlow]

>>This should be no suprise to you, since the documentation
>>which you have recently re-read says:
>>The web server is not visible to anyone outside of the local network.

You don't seem to understand what dyslexia does to words some of the thyme...
http://www.dyslexia.com/

For instance I've only just realised that both you and Mike are apparently from Mitel itself. I have always held the SME product and its makers in high esteem - not least because of its Open Source status.

>>And just as it should be. Private Server Gateway mode is designed
>>if you have no public services - for example, you are an average law
>>abiding cable customer and don't run a web server and don't want >>anyone connecting to you. It's not for you.

I know it's not for me and I didn't opt for it two years ago. You and Mike kept on suggesting it as the solution to my WishList thread so I went ahead. I then slowly worked out what was happening and assumed you and Mike pointed me that way for a laugh. Despite being the butt of this joke I have an excellent sense of humour and have written the exercise off against good experience.

>>Ray's wonderful patch is still the best thing, in icmp ping
>>response addon technology, since sliced bread.
>Then you have what you need.

No I don't have what I need. And I don't have what I want. It seems like I can't get to ask for it either - even on a ***WishList*** request forum.

Ray's wonderful patch only drops my box's *response* to a specifically sized icmp ping request (92bytes) corresponding to a specific worm-driven icmp ping problem. And to keep the ACID logs quiet I/we are forced to disable ACID's config line for a type of icmp packet (well, I think that's what that bit did), which is effectively putting one's head in the sand over that particular aspect to the issue.

I certainly do -not- have a stealth mode yet running for icmp ping requests/responses whilst allowing System Monitor to function correctly and with the new condition of keeping the village's websites alive and my picture gallery site running. Ray's patch just helps stop the ACID logs filling up with noise.

My WishList item stands...  *in request mode*!

(it's gone 1:30am - g'night)

best wishes, Robert

[Charlie Brady]

Robert Harlow wrote:

> You and Mike kept on suggesting it as the solution to my
> WishList thread so I went ahead.

We were not joking. PSG mode is an exact answer to what you asked for at the start of the WishList thread. We weren't to know that you had other unstated requirements.

> Ray's wonderful patch only drops my box's *response* to a
> specifically sized icmp ping request (92bytes) corresponding
> to a specific worm-driven icmp ping problem. And to keep the
> ACID logs quiet I/we are forced to disable ACID's config line
> for a type of icmp packet (well, I think that's what that bit
> did), which is effectively putting one's head in the sand
> over that particular aspect to the issue.

But that is all you *can* do.

Charlie

[Graeme Fleming]

At the risk of diving into these 'muddied' waters how about using a hardware router infront of the SME box.

I have recently installed a Netgear FR328 that allows me to stealth my system by rejecting pings, opening just those ports I want, having a 8 ports switch built-in allows me to setup a quasi DMZ between the router and the SME, and also gives me automatic failover to a modem should my ADSL link go down.

My SME box now does very little re all the garbage coming from the 'net'.

Seems to me perfect for your needs.  I would guess it would cost you about 120 quid.

HTH

[Robert Harlow]

Graeme

Excellent point, I agree, but I didn't want to say anything earlier that might irritate Keith any more.

Before the rural wireless broadband project came to the village it was necessary to use dialup ISDN for a more reliable connection than a plain old telephone service connection. I bought a 3com OfficeLAN ISDN router to attach to my little unmanaged 3com switch. To protect it all, even on a dialup service, I used a hardware firewall from WatchGuard (SoHo 5). Broadband and the SME arrived together, the learning curve was a bit steep for me particularly I have to teach myself entirely unaided and I was not able to configure everything to include the hardware firewall. Nowadays I am much better equipped in experience to attempt this... particularly now I know I can reconfigure the box's basic operational mode within a few minutes and with very little fuss and bother.

What I didn't know before was that I have to point the SME towards the hardware firewall and similarly in reverse. The hardware firewall has a very simple option that 'should' put it into a PING response stealth mode... ie the subject of this WishList thread item.

I think the SoHo hardware firewall does stateful packet stuff too but I'm not that sure, I need to have a mess around in a quiet time.

This does not exonerate Mitel from researching/producing a native option for SME to allow a PING response stealth mode... WishList item stands:-)

best wishes, Robert

[Shad Lords]

If you have e-smith-packetfilter-1.13.0-04 installed on 5.6 then you can perform the following to do exactly what you want.

/sbin/e-smith/config setprop masq Stealth yes
/sbin/e-smith/expand-template /etc/rc.d/init.d/masq  
service masq restart


-Shad

[Robert Harlow]

Shad

Sounds good, my thanks:-)

Had e-smith-packetfilter-1.10.0-08 installed (SME5.6u4).
Wasn't able to find 1.13.0-04 in the regular 5.6 updates.
Some higher versions in the 6.0beta's but v6 is not yet for production servers.
Found your specified target revision in Charlie Brady's area...

...and have updated appropriately - thanks Charlie:-)
Implemented your command lines.
Some errors...
-------------------------------------------->
[root@nas600 24-stealth-mode]# rpm -Uvh *.rpm
Preparing...                ########################################### [100%]
   1:e-smith-packetfilter   ########################################### [100%]
[root@nas600 24-stealth-mode]# /sbin/e-smith/config setprop masq Stealth yes
[root@nas600 24-stealth-mode]# /sbin/e-smith/expand-template /etc/rc.d/init.d/masq
[root@nas600 24-stealth-mode]# service masq restart

Shutting down IP masquerade and firewall rules:         Done!

Enabling IP masquerading: iptables: No chain/target/match by that name
iptables: No chain/target/match by that name
iptables: No chain/target/match by that name
iptables: No chain/target/match by that name
iptables: No chain/target/match by that name
iptables: No chain/target/match by that name
iptables: No chain/target/match by that name
iptables: No chain/target/match by that name
iptables: No chain/target/match by that name
done
[root@nas600 24-stealth-mode]#
<--------------------------------------------

Perhaps those error lines might have been due to a number of ad hoc lines I previously added to block some favourite(?) spammers, in the form...
/sbin/iptables -A INPUT -t filter -j DROP -s 210.117.67.24

System Monitor's gateway dropped packets and latency graphs seem to be continuing as ever (including its error lines flood in the httpd/admin_error log); too soon to tell about the worm-driven ICMP guff.  Will keep an eye on the logs.

Thank you for the heads up Shad:-)

best wishes, Robert

[Magnus]

Tried that on my sme 6.0b3

[root@miniburken]# /sbin/e-smith/config setprop masq Stealth yes
[root@miniburken]# /sbin/e-smith/expand-template /etc/rc.d/init.d/masq
[root@miniburken]# service masq restart

Shutting down IP masquerade and firewall rules: Done!

Enabling IP masquerading: Bad argument icmp´
Try ìptables -h´ or  ´iptables --help´ for more information.
done

[Michael Soulier]

Magnus wrote:
>
> Tried that on my sme 6.0b3
>
> [root@miniburken]# /sbin/e-smith/config setprop masq Stealth
> yes
> [root@miniburken]# /sbin/e-smith/expand-template
> /etc/rc.d/init.d/masq
> [root@miniburken]# service masq restart
>
> Shutting down IP masquerade and firewall rules: Done!
>
> Enabling IP masquerading: Bad argument icmp´
> Try ìptables -h´ or  ´iptables --help´ for more information.
> done

As always, please report suspected bugs to smebugs@mitel.com.

Mike

[Bob King]

You can find the e-smith-packetfilter-1.13.0-04 rpm at the link below.

http://mirror.contribs.org/smeserver/contribs/dmay/mitel/contrib/portforwarding/

[adrian]

Robert

did this work for you in the end?

regards

adrian

[Robert Harlow]

Adrian

Marvellously:-) No longer plagued with (inappropriate) ICMP stuff. Get the occasional few but I can certainly commend the tweak. I'm still on SME5.6u4... will move to 6.0(b3?) when I have a window;~/

best wishes, Robert

[%sig%]