Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in
Gentoo is sending ICMP Packages to Firewall/Router
View unanswered posts
View posts from last 24 hours

 
Reply to topic    Gentoo Forums Forum Index Networking & Security
View previous topic :: View next topic  
Author Message
gentootux28282
n00b
n00b


Joined: 08 Jul 2024
Posts: 5

PostPosted: Mon Jul 08, 2024 4:35 pm    Post subject: Gentoo is sending ICMP Packages to Firewall/Router Reply with quote

Hello everyone,

this is my first time here. I recently saw in my firewall log that my Gentoo is constantly sending ICMP requests to my firewall/router. These are blocked all the time, so far so good. Unfortunately I haven't found out which program or why my system keeps sending these packets to the router. Has anyone here noticed the same thing or does anyone know what this could be or is it normal?

Thanks for the help!
Back to top
View user's profile Send private message
pietinger
Moderator
Moderator


Joined: 17 Oct 2006
Posts: 5104
Location: Bavaria

PostPosted: Mon Jul 08, 2024 5:27 pm    Post subject: Reply with quote

gentootux28282,

Welcome to Gentoo Forums ! :D

gentootux28282 wrote:
[...] Has anyone here noticed the same thing or does anyone know what this could be or is it normal?

I dont think is is normal ... you should check which application sends these ICMPs.

You can do this check with: ss -apw (as root) ... if the application sends actively ICMP packets. If you have to wait for it then combine it with "watch" ->
Code:
# watch -t -n 0.5 ss -apw  >> icmplog
-> <CTRL>-<C> after you think a application has send some ICMPs
# check it with LESS (not with "more")
# less icmplog
->
State Recv-Q Send-Q Local Address:Port Peer Address:PortProcess  Recv-Q Send-Q Local Address:Port Peer Address:PortProcess^MUNCONN 000.0.0.0:icmp0.0.0.0:*    users:(("ping",pid=5302,fd=3))

Yes, I did a "ping" in another terminal ;-)
_________________
https://wiki.gentoo.org/wiki/User:Pietinger
Back to top
View user's profile Send private message
gentootux28282
n00b
n00b


Joined: 08 Jul 2024
Posts: 5

PostPosted: Mon Jul 08, 2024 5:43 pm    Post subject: Reply with quote

Thank you very much. I was already thinking something along those lines.
Output:
Code:
 
State Recv-Q Send-Q Local Address:PortPeer Address:PortProcess^MUNCONN 213120 00.0.0.0:udp0.0.0.0:* users:(("dhcpcd",pid=806,fd=13))^MUNCONN 00*:ipv6-icmp*:* users:(("dhcpcd",pid=806,fd=16))^M

It seems to be "normal".
I know a few things to disable this, I think the best way is to customize the dhcpcd.conf with the entries: noipv6 and
noipv6rs right ?
Back to top
View user's profile Send private message
pietinger
Moderator
Moderator


Joined: 17 Oct 2006
Posts: 5104
Location: Bavaria

PostPosted: Mon Jul 08, 2024 9:26 pm    Post subject: Reply with quote

gentootux28282 wrote:
It seems to be "normal".
I know a few things to disable this, I think the best way is to customize the dhcpcd.conf with the entries: noipv6 and
noipv6rs right ?

Yes - you are right ... dhcpcd is "normal" ... I never think of it ....because ... I used dhcpcd once for a while and realized that it bypassed my local (personal) firewall (where some ports were not even enabled yet; especially UDP 67 and 68 was not open; dhcpcd was able to work anyway; :evil: ) ... since then I don't like it anymore (and I don't use it == I am using a static ip address; I don't use IPv6 either).
_________________
https://wiki.gentoo.org/wiki/User:Pietinger
Back to top
View user's profile Send private message
pjp
Administrator
Administrator


Joined: 16 Apr 2002
Posts: 20485

PostPosted: Mon Jul 08, 2024 11:05 pm    Post subject: Reply with quote

pietinger wrote:
I used dhcpcd once for a while and realized that it bypassed my local (personal) firewall (where some ports were not even enabled yet; especially UDP 67 and 68 was not open; dhcpcd was able to work anyway; :evil: ) ... since then I don't like it anymore (and I don't use it == I am using a static ip address; I don't use IPv6 either).
That's disturbing. I use it to fetch a "static" dhcp address. That way I don't have to manage the files. But I don't use dns for local machines.
_________________
Quis separabit? Quo animo?
Back to top
View user's profile Send private message
szatox
Advocate
Advocate


Joined: 27 Aug 2013
Posts: 3430

PostPosted: Tue Jul 09, 2024 12:13 am    Post subject: Reply with quote

Although it is technically possible for an application to avoid iptables, I find it highly unlikely for dhcp to do that... It's much more likely that some other rule allowed this traffic unintentionally.



gentootux28282, why do you care about icmp so much?
Ping is a useful diagnostic tool, and icmp is also used for link configuration in ipv6 (I think... I might be wrong about details, but AFAIR ipv6 makes more use of icmp than ipv4). This traffic is OK.
You can record and analyze traffic with tcpdump or wireshark to see if there is anything fishy going on, but so far there is no evidence of anything misbehaving.
_________________
Make Computing Fun Again
Back to top
View user's profile Send private message
nicop
Tux's lil' helper
Tux's lil' helper


Joined: 10 Apr 2014
Posts: 90

PostPosted: Tue Jul 09, 2024 8:04 am    Post subject: Reply with quote

szatox wrote:
Although it is technically possible for an application to avoid iptables, I find it highly unlikely for dhcp to do that... It's much more likely that some other rule allowed this traffic unintentionally.


Apparently, the dhcp client uses AF_PACKET and therefore bypass netfilter process :
https://github.com/NetworkConfiguration/dhcpcd/blob/master/src/if.c
Back to top
View user's profile Send private message
Hu
Administrator
Administrator


Joined: 06 Mar 2007
Posts: 22648

PostPosted: Tue Jul 09, 2024 12:40 pm    Post subject: Reply with quote

DHCP clients need to communicate with the DHCP server to obtain a lease, even when the client machine currently has no IP address. Normal communications through TCP or UDP require an IP address, so the DHCP client cannot use normal communications. Bypassing netfilter is probably just an incidental consequence of this unusual need.
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index Networking & Security All times are GMT
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum