Topic: PING response stealth mode

[Charlie Brady]

Robert Harlow wrote:

> You and Mike kept on suggesting it as the solution to my
> WishList thread so I went ahead.

We were not joking. PSG mode is an exact answer to what you asked for at the start of the WishList thread. We weren't to know that you had other unstated requirements.

> Ray's wonderful patch only drops my box's *response* to a
> specifically sized icmp ping request (92bytes) corresponding
> to a specific worm-driven icmp ping problem. And to keep the
> ACID logs quiet I/we are forced to disable ACID's config line
> for a type of icmp packet (well, I think that's what that bit
> did), which is effectively putting one's head in the sand
> over that particular aspect to the issue.

But that is all you *can* do.

Charlie

[Graeme Fleming]

At the risk of diving into these 'muddied' waters how about using a hardware router infront of the SME box.

I have recently installed a Netgear FR328 that allows me to stealth my system by rejecting pings, opening just those ports I want, having a 8 ports switch built-in allows me to setup a quasi DMZ between the router and the SME, and also gives me automatic failover to a modem should my ADSL link go down.

My SME box now does very little re all the garbage coming from the 'net'.

Seems to me perfect for your needs.  I would guess it would cost you about 120 quid.

HTH

[Robert Harlow]

Graeme

Excellent point, I agree, but I didn't want to say anything earlier that might irritate Keith any more.

Before the rural wireless broadband project came to the village it was necessary to use dialup ISDN for a more reliable connection than a plain old telephone service connection. I bought a 3com OfficeLAN ISDN router to attach to my little unmanaged 3com switch. To protect it all, even on a dialup service, I used a hardware firewall from WatchGuard (SoHo 5). Broadband and the SME arrived together, the learning curve was a bit steep for me particularly I have to teach myself entirely unaided and I was not able to configure everything to include the hardware firewall. Nowadays I am much better equipped in experience to attempt this... particularly now I know I can reconfigure the box's basic operational mode within a few minutes and with very little fuss and bother.

What I didn't know before was that I have to point the SME towards the hardware firewall and similarly in reverse. The hardware firewall has a very simple option that 'should' put it into a PING response stealth mode... ie the subject of this WishList thread item.

I think the SoHo hardware firewall does stateful packet stuff too but I'm not that sure, I need to have a mess around in a quiet time.

This does not exonerate Mitel from researching/producing a native option for SME to allow a PING response stealth mode... WishList item stands:-)

best wishes, Robert

[Shad Lords]

If you have e-smith-packetfilter-1.13.0-04 installed on 5.6 then you can perform the following to do exactly what you want.

/sbin/e-smith/config setprop masq Stealth yes
/sbin/e-smith/expand-template /etc/rc.d/init.d/masq  
service masq restart


-Shad

[Robert Harlow]

Shad

Sounds good, my thanks:-)

Had e-smith-packetfilter-1.10.0-08 installed (SME5.6u4).
Wasn't able to find 1.13.0-04 in the regular 5.6 updates.
Some higher versions in the 6.0beta's but v6 is not yet for production servers.
Found your specified target revision in Charlie Brady's area...

...and have updated appropriately - thanks Charlie:-)
Implemented your command lines.
Some errors...
-------------------------------------------->
[root@nas600 24-stealth-mode]# rpm -Uvh *.rpm
Preparing...                ########################################### [100%]
   1:e-smith-packetfilter   ########################################### [100%]
[root@nas600 24-stealth-mode]# /sbin/e-smith/config setprop masq Stealth yes
[root@nas600 24-stealth-mode]# /sbin/e-smith/expand-template /etc/rc.d/init.d/masq
[root@nas600 24-stealth-mode]# service masq restart

Shutting down IP masquerade and firewall rules:         Done!

Enabling IP masquerading: iptables: No chain/target/match by that name
iptables: No chain/target/match by that name
iptables: No chain/target/match by that name
iptables: No chain/target/match by that name
iptables: No chain/target/match by that name
iptables: No chain/target/match by that name
iptables: No chain/target/match by that name
iptables: No chain/target/match by that name
iptables: No chain/target/match by that name
done
[root@nas600 24-stealth-mode]#
<--------------------------------------------

Perhaps those error lines might have been due to a number of ad hoc lines I previously added to block some favourite(?) spammers, in the form...
/sbin/iptables -A INPUT -t filter -j DROP -s 210.117.67.24

System Monitor's gateway dropped packets and latency graphs seem to be continuing as ever (including its error lines flood in the httpd/admin_error log); too soon to tell about the worm-driven ICMP guff.  Will keep an eye on the logs.

Thank you for the heads up Shad:-)

best wishes, Robert

[Magnus]

Tried that on my sme 6.0b3

[root@miniburken]# /sbin/e-smith/config setprop masq Stealth yes
[root@miniburken]# /sbin/e-smith/expand-template /etc/rc.d/init.d/masq
[root@miniburken]# service masq restart

Shutting down IP masquerade and firewall rules: Done!

Enabling IP masquerading: Bad argument icmp´
Try ìptables -h´ or  ´iptables --help´ for more information.
done

[Michael Soulier]

Magnus wrote:
>
> Tried that on my sme 6.0b3
>
> [root@miniburken]# /sbin/e-smith/config setprop masq Stealth
> yes
> [root@miniburken]# /sbin/e-smith/expand-template
> /etc/rc.d/init.d/masq
> [root@miniburken]# service masq restart
>
> Shutting down IP masquerade and firewall rules: Done!
>
> Enabling IP masquerading: Bad argument icmp´
> Try ìptables -h´ or  ´iptables --help´ for more information.
> done

As always, please report suspected bugs to smebugs@mitel.com.

Mike

[Bob King]

You can find the e-smith-packetfilter-1.13.0-04 rpm at the link below.

http://mirror.contribs.org/smeserver/contribs/dmay/mitel/contrib/portforwarding/

[adrian]

Robert

did this work for you in the end?

regards

adrian

[Robert Harlow]

Adrian

Marvellously:-) No longer plagued with (inappropriate) ICMP stuff. Get the occasional few but I can certainly commend the tweak. I'm still on SME5.6u4... will move to 6.0(b3?) when I have a window;~/

best wishes, Robert

[%sig%]