Koozali.org: home of the SME Server

Legacy Forums => Experienced User Forum => Topic started by: frank schulz on November 08, 2001, 06:31:33 PM

Title: ping the server
Post by: frank schulz on November 08, 2001, 06:31:33 PM

i have installed sme server 5 and it works fine, i can manage the server over http and ssh, but i can't ping the server from any workstation. Why ?

Title: Re: ping the server
Post by: Chris O'Donovan on November 09, 2001, 03:07:14 AM

Are the machines on the same subnet? Some routers are configured not to allow pings to pass through them.

More details of your network setup would be helpful.

Chris

Title: Re: ping the server
Post by: Luckydog on November 09, 2001, 06:59:31 AM

From what I can see E-Smith v5 is designed to not allow incoming ICMP.
This is  popularly used to decrease a servers visibility.

In my E-Smith v5.0 setup, my internal network is 10.1.1.x

In /etc/rc.d/init.d/masq I can see the following rules:

    /sbin/ipchains --append output -p icmp --source 10.1.1.0/255.255.255.0 --destination 0.0.0.0/0 -j ACCEPT
    /sbin/ipchains --append icmpIn --jump denylog
    /sbin/ipchains --append icmpOut --jump denylog

This appears to allow pings from within the private network to get out, but
pings into E-Smith from any source get ignored.

Since my E-Smith machine is 10.1.1.1, the following rule will allow it to be pinged:

/sbin/ipchains --insert input -p icmp --source 10.1.1.0/255.255.255.0 --destination 10.1.1.1 -j ACCEPT

Title: Re: ping the server
Post by: frank schulz on November 09, 2001, 10:45:34 AM

Hallo, all the machines get their adresses via dhcp from the server, they are in the same subnet, the server has the adress 192.168.19.1 the machines are in the range 192.168.19.66-192.168.19.240. The dhcp works correctly and i can ping between the clients. Telnet to 192.168.19.1 also works.

Title: Re: ping the server
Post by: frank schulz on November 09, 2001, 10:51:04 AM

Thanks for this info, i think that is the solution. In e-smith 4.12 this was not implemented, pinging the server was allowed.

Title: Re: ping the server
Post by: Luckydog on November 09, 2001, 11:49:58 AM

There is much debate in the firewall community about the value of denying ICMP.

Regardless denying appears to be the direction that the E-smith developers took.

If you choose to use this command to allow pings, you should build a custom
template fragment to implement this.
You could put it in rc.local but I found masq restarts for all sorts of reasons and your rc.local changes will be lost till the next reboot.

To reverse the effect of the copy change the word 'insert' to the word 'delete'.

Title: Re: ping the server
Post by: Terry Brummell on November 09, 2001, 02:00:07 PM

My bone stock SME v5 box allows me to ping it from the internal interface side.  Guess that throws that idea out the window!

Terry

frank schulz wrote:
>
> Thanks for this info, i think that is the solution. In
> e-smith 4.12 this was not implemented, pinging the server was
> allowed.

Title: Re: ping the server
Post by: Luckydog on November 10, 2001, 06:02:54 AM

On install you have the choice of a Private or a Public Gateway.
I wonder if you chose to be 'Public' then you are pingable, and private you are not....