Koozali.org: home of the SME Server
Legacy Forums => Experienced User Forum => Topic started by: RayG on August 25, 2003, 06:35:04 PM
-
I would like to block the Cyberkit 2.2 ICMP echo requests as snort's processing of them is starting to slow down my server. I received 33,000+ over the weekend. I suppose I could just kill this particular alert in snort but I'd rather just drop the pings. Letting the system respond to them just invites more traffic from the infected machine.
I've searched through the forums and found two methods to block ICMP echo requests.
One involved simply adding a rule to ipchains. I tried this aproach first as I already have a custom template fragment for adding blocks to ipchains. I could see the block in the output from "ipchains -L input" but the cyberkit 2.2 packets were still getting through.
The second approach involved modifying a copy of a masq template fragment to remove the echo requests from the list of allowable ICMP traffic. I modified the custom fragment, rebuilt the template, and restarted masq. I can't ping my server from outside now but the cyberkit 2.2 echo requests are still getting through.
Any clue what I'm missing ?