View previous topic :: View next topic |
Author |
Message |
gentootux28282 n00b
Joined: 08 Jul 2024 Posts: 5
|
Posted: Mon Jul 08, 2024 4:35 pm Post subject: Gentoo is sending ICMP Packages to Firewall/Router |
|
|
Hello everyone,
this is my first time here. I recently saw in my firewall log that my Gentoo is constantly sending ICMP requests to my firewall/router. These are blocked all the time, so far so good. Unfortunately I haven't found out which program or why my system keeps sending these packets to the router. Has anyone here noticed the same thing or does anyone know what this could be or is it normal?
Thanks for the help! |
|
Back to top |
|
|
pietinger Moderator
Joined: 17 Oct 2006 Posts: 5104 Location: Bavaria
|
Posted: Mon Jul 08, 2024 5:27 pm Post subject: |
|
|
gentootux28282,
Welcome to Gentoo Forums !
gentootux28282 wrote: | [...] Has anyone here noticed the same thing or does anyone know what this could be or is it normal? |
I dont think is is normal ... you should check which application sends these ICMPs.
You can do this check with: ss -apw (as root) ... if the application sends actively ICMP packets. If you have to wait for it then combine it with "watch" ->
Code: | # watch -t -n 0.5 ss -apw >> icmplog
-> <CTRL>-<C> after you think a application has send some ICMPs
# check it with LESS (not with "more")
# less icmplog
->
State Recv-Q Send-Q Local Address:Port Peer Address:PortProcess Recv-Q Send-Q Local Address:Port Peer Address:PortProcess^MUNCONN 000.0.0.0:icmp0.0.0.0:* users:(("ping",pid=5302,fd=3)) |
Yes, I did a "ping" in another terminal _________________ https://wiki.gentoo.org/wiki/User:Pietinger |
|
Back to top |
|
|
gentootux28282 n00b
Joined: 08 Jul 2024 Posts: 5
|
Posted: Mon Jul 08, 2024 5:43 pm Post subject: |
|
|
Thank you very much. I was already thinking something along those lines.
Output:
Code: |
State Recv-Q Send-Q Local Address:PortPeer Address:PortProcess^MUNCONN 213120 00.0.0.0:udp0.0.0.0:* users:(("dhcpcd",pid=806,fd=13))^MUNCONN 00*:ipv6-icmp*:* users:(("dhcpcd",pid=806,fd=16))^M
|
It seems to be "normal".
I know a few things to disable this, I think the best way is to customize the dhcpcd.conf with the entries: noipv6 and
noipv6rs right ? |
|
Back to top |
|
|
pietinger Moderator
Joined: 17 Oct 2006 Posts: 5104 Location: Bavaria
|
Posted: Mon Jul 08, 2024 9:26 pm Post subject: |
|
|
gentootux28282 wrote: | It seems to be "normal".
I know a few things to disable this, I think the best way is to customize the dhcpcd.conf with the entries: noipv6 and
noipv6rs right ? |
Yes - you are right ... dhcpcd is "normal" ... I never think of it ....because ... I used dhcpcd once for a while and realized that it bypassed my local (personal) firewall (where some ports were not even enabled yet; especially UDP 67 and 68 was not open; dhcpcd was able to work anyway; ) ... since then I don't like it anymore (and I don't use it == I am using a static ip address; I don't use IPv6 either). _________________ https://wiki.gentoo.org/wiki/User:Pietinger |
|
Back to top |
|
|
pjp Administrator
Joined: 16 Apr 2002 Posts: 20485
|
Posted: Mon Jul 08, 2024 11:05 pm Post subject: |
|
|
pietinger wrote: | I used dhcpcd once for a while and realized that it bypassed my local (personal) firewall (where some ports were not even enabled yet; especially UDP 67 and 68 was not open; dhcpcd was able to work anyway; :evil: ) ... since then I don't like it anymore (and I don't use it == I am using a static ip address; I don't use IPv6 either). | That's disturbing. I use it to fetch a "static" dhcp address. That way I don't have to manage the files. But I don't use dns for local machines. _________________ Quis separabit? Quo animo? |
|
Back to top |
|
|
szatox Advocate
Joined: 27 Aug 2013 Posts: 3430
|
Posted: Tue Jul 09, 2024 12:13 am Post subject: |
|
|
Although it is technically possible for an application to avoid iptables, I find it highly unlikely for dhcp to do that... It's much more likely that some other rule allowed this traffic unintentionally.
gentootux28282, why do you care about icmp so much?
Ping is a useful diagnostic tool, and icmp is also used for link configuration in ipv6 (I think... I might be wrong about details, but AFAIR ipv6 makes more use of icmp than ipv4). This traffic is OK.
You can record and analyze traffic with tcpdump or wireshark to see if there is anything fishy going on, but so far there is no evidence of anything misbehaving. _________________ Make Computing Fun Again |
|
Back to top |
|
|
nicop Tux's lil' helper
Joined: 10 Apr 2014 Posts: 90
|
Posted: Tue Jul 09, 2024 8:04 am Post subject: |
|
|
szatox wrote: | Although it is technically possible for an application to avoid iptables, I find it highly unlikely for dhcp to do that... It's much more likely that some other rule allowed this traffic unintentionally.
|
Apparently, the dhcp client uses AF_PACKET and therefore bypass netfilter process :
https://github.com/NetworkConfiguration/dhcpcd/blob/master/src/if.c |
|
Back to top |
|
|
Hu Administrator
Joined: 06 Mar 2007 Posts: 22649
|
Posted: Tue Jul 09, 2024 12:40 pm Post subject: |
|
|
DHCP clients need to communicate with the DHCP server to obtain a lease, even when the client machine currently has no IP address. Normal communications through TCP or UDP require an IP address, so the DHCP client cannot use normal communications. Bypassing netfilter is probably just an incidental consequence of this unusual need. |
|
Back to top |
|
|
|