Exercise 24.1: System Tunables with sysctl

albiurs

Hi,

Somehow I cannot deactivate the ping on my computer...

┌──(alu@nb)-[~]
└─$ sudo sysctl net.ipv4.icmp_echo_ignore_all=1
net.ipv4.icmp_echo_ignore_all = 1

┌──(alu@nb)-[~]
└─$ ping -c 3 localhost
PING localhost(localhost (::1)) 56 data bytes
64 bytes from localhost (::1): icmp_seq=1 ttl=64 time=0.013 ms
64 bytes from localhost (::1): icmp_seq=2 ttl=64 time=0.055 ms
64 bytes from localhost (::1): icmp_seq=3 ttl=64 time=0.041 ms

--- localhost ping statistics ---
3 packets transmitted, 3 received, 0% packet loss, time 2048ms
rtt min/avg/max/mdev = 0.013/0.036/0.055/0.017 ms

What could be the reason?

Thanks,
Urs

luisviveropena

Hi Urs,

I just tried it on Ubuntu 24.04 and worked for me.

1.- What OS and version are you testing with?
2.- What's the kernel version?

uname -r

Regards,
Luis.

albiurs

Hi Luis,

Thanks for your reply.

I'm on Debian:

┌──(alu@nb)-[~]
└─$ cat /etc/os-release 
PRETTY_NAME="Debian GNU/Linux 12 (bookworm)"
NAME="Debian GNU/Linux"
VERSION_ID="12"
VERSION="12 (bookworm)"
VERSION_CODENAME=bookworm
ID=debian
HOME_URL="https://www.debian.org/"
SUPPORT_URL="https://www.debian.org/support"
BUG_REPORT_URL="https://bugs.debian.org/"

┌──(alu@nb)-[~]
└─$ uname -r
6.1.0-25-amd64

Regards,
Urs

luisviveropena

Hi Urs,

Unfortunately I was able to reproduce the issue on Debian 12 and kernel version 6.1.0-26-amd64.
So, if I do "cat /proc/sys/net/ipv4/icmp_echo_ignore_all" it gives "1", which should deactivate ping localhost, but it isn't. Also, I got net.ipv4.icmp_echo_ignore_all=1 to /etc/sysctl.conf, restarted the associated service with "service procps force-reload", and it didn't work. That's bad, because that means that /etc/sysctl.conf is not working as expected. I also restarted the system and it didn't work either.

Before all of that I stopped the default firewall, just in case.

You can check the Debian documentation about this item here:

https://www.debian.org/doc/manuals/securing-debian-manual/network-secure.en.html

So, at this point it looks to me as a bug. I recommend to try with any other distro. It worked for me with Ubuntu.

Regards,
Luis.

luisviveropena

Hi Urs,

On Debian you also need to do the following (block icmp for ipv6 as well):

echo "1" > /proc/sys/net/ipv6/icmp/echo_ignore_all

After that, pings to localhost will be ignored.

Regards,
Luis.

albiurs

Hi Luis,

Thank you very much.

Now I got it too. So it seams that, if icmp on ipv4 is disabled, Debian switches to icmp on ipv6 (if possible). In my case, as I use DHCP, apart form the ipv4 address, my computer was assigned an ipv6 address as well. Maybe that's the reason about this behavior.

In case it's not a bug, you may consider to update the according lab in the course.

Best wishes,
Urs

luisviveropena

Hi Urs, it's a pleasure!

Now I got it too. So it seams that, if icmp on ipv4 is disabled, Debian switches to icmp on ipv6 (if >possible). In my case, as I use DHCP, apart form the ipv4 address, my computer was assigned an ipv6 >address as well. Maybe that's the reason about this behavior.

Yes, it's a feature, not a bug, hehehe.

Regards,
Luis.