Welcome to the Linux Foundation Forum!

Exercise 24.1: System Tunables with sysctl

albiurs
albiurs Posts: 51
in LFS207 Class Forum

Hi,

Somehow I cannot deactivate the ping on my computer...

┌──(alu@nb)-[~]
└─$ sudo sysctl net.ipv4.icmp_echo_ignore_all=1
net.ipv4.icmp_echo_ignore_all = 1

┌──(alu@nb)-[~]
└─$ ping -c 3 localhost
PING localhost(localhost (::1)) 56 data bytes
64 bytes from localhost (::1): icmp_seq=1 ttl=64 time=0.013 ms
64 bytes from localhost (::1): icmp_seq=2 ttl=64 time=0.055 ms
64 bytes from localhost (::1): icmp_seq=3 ttl=64 time=0.041 ms

--- localhost ping statistics ---
3 packets transmitted, 3 received, 0% packet loss, time 2048ms
rtt min/avg/max/mdev = 0.013/0.036/0.055/0.017 ms

What could be the reason?

Thanks,
Urs

Answers

  • luisviveropena
    luisviveropena Posts: 1,284

    Hi Urs,

    I just tried it on Ubuntu 24.04 and worked for me.

    1.- What OS and version are you testing with?
    2.- What's the kernel version?

    uname -r

    Regards,
    Luis.

  • albiurs
    albiurs Posts: 51

    Hi Luis,

    Thanks for your reply.

    I'm on Debian:

    ┌──(alu@nb)-[~]
└─$ cat /etc/os-release 
PRETTY_NAME="Debian GNU/Linux 12 (bookworm)"
NAME="Debian GNU/Linux"
VERSION_ID="12"
VERSION="12 (bookworm)"
VERSION_CODENAME=bookworm
ID=debian
HOME_URL="https://www.debian.org/"
SUPPORT_URL="https://www.debian.org/support"
BUG_REPORT_URL="https://bugs.debian.org/"

┌──(alu@nb)-[~]
└─$ uname -r
6.1.0-25-amd64

    Regards,
    Urs

  • luisviveropena
    luisviveropena Posts: 1,284
    edited October 2024

    Hi Urs,

    Unfortunately I was able to reproduce the issue on Debian 12 and kernel version 6.1.0-26-amd64.
    So, if I do "cat /proc/sys/net/ipv4/icmp_echo_ignore_all" it gives "1", which should deactivate ping localhost, but it isn't. Also, I got net.ipv4.icmp_echo_ignore_all=1 to /etc/sysctl.conf, restarted the associated service with "service procps force-reload", and it didn't work. That's bad, because that means that /etc/sysctl.conf is not working as expected. I also restarted the system and it didn't work either.

    Before all of that I stopped the default firewall, just in case.

    You can check the Debian documentation about this item here:

    https://www.debian.org/doc/manuals/securing-debian-manual/network-secure.en.html

    So, at this point it looks to me as a bug. I recommend to try with any other distro. It worked for me with Ubuntu.

    Regards,
    Luis.

  • luisviveropena
    luisviveropena Posts: 1,284
    edited October 2024

    Hi Urs,

    On Debian you also need to do the following (block icmp for ipv6 as well):

    echo "1" > /proc/sys/net/ipv6/icmp/echo_ignore_all

    After that, pings to localhost will be ignored.

    Regards,
    Luis.

  • albiurs
    albiurs Posts: 51

    Hi Luis,

    Thank you very much.

    Now I got it too. So it seams that, if icmp on ipv4 is disabled, Debian switches to icmp on ipv6 (if possible). In my case, as I use DHCP, apart form the ipv4 address, my computer was assigned an ipv6 address as well. Maybe that's the reason about this behavior.

    In case it's not a bug, you may consider to update the according lab in the course.

    Best wishes,
    Urs

  • luisviveropena
    luisviveropena Posts: 1,284

    Hi Urs, it's a pleasure!

    Now I got it too. So it seams that, if icmp on ipv4 is disabled, Debian switches to icmp on ipv6 (if >possible). In my case, as I use DHCP, apart form the ipv4 address, my computer was assigned an ipv6 >address as well. Maybe that's the reason about this behavior.

    Yes, it's a feature, not a bug, hehehe.

    Regards,
    Luis.

Categories

Upcoming Training