Secure OS Software for Linux
cancel
Showing results for 
Search instead for 
Did you mean: 

ICMP method_name in tlrules

 
Chris Watson
Super Advisor

ICMP method_name in tlrules

These doesn't appear to be either a ICMP method_name in tlrules.

I am trying to enable ping to the system compartment, and I have tried adding 'method all' but the client can;t get a response.

How can I get hplx to respond to a ping?
Moving along nicely
4 REPLIES
Ron Vladick
Advisor

Re: ICMP method_name in tlrules

Currently ICMP messages are not supported. ICMP messages will only work in the syshi compartment.
Chris Watson
Super Advisor

Re: ICMP method_name in tlrules

Ron,

Could you expand on this a little.

From another machine I want to ping hp-tlx.

tlrules appear to handle socket communications, and seeing as ICMP are not sockified I don't understand how tlx handles this.

Do I control ICMP by controlling UDP?

You state that ICMP will work in syshi. If I am pinging from another machine, what is going to echo the request?

Moving along nicely
Joy Leima
Occasional Advisor

Re: ICMP method_name in tlrules

Incoming ICMP messages are not affected. IP responds to these. Secure Linux won't interfere with the operations of ICMP or any other low level IP operations. It is when a process tries to receive (or send) a packet that the compartmentalization will come into play.
Ron Vladick
Advisor

Re: ICMP method_name in tlrules

To further clarify,

Why can a client ping Secure Linux/Linux?
- a) icmp replies is a built in networking function. These requests are handled by the network driver before it passes the request up the stack to the tcp/udp functions.

ICMP has some configuable options:
These parameters reside in /proc/sys/net/ipv4

icmp_echo_ignore_all icmp_ignore_bogus_error_responses icmp_ratemask
icmp_echo_ignore_broadcasts icmp_ratelimit
is configurable

The icmp_echo_ignore_all parameter can be set to 1 for Secure Linux to not reply to client icmp requests.