HPE Community
Operating System - HP-UX
1825720 Members
2966 Online
109686 Solutions
New Discussion

ICMP over

 
Pedro Orellana C.
Occasional Contributor

‎07-15-2004 04:37 AM

‎07-15-2004 04:37 AM

ICMP over

I have a hp-ux D330 in DMZ sector. I need to lower ICMP (services or protocol) by firewall for DMZ.
when I lower the ICMP of DMZ all connections of the machine go away down, i lose ping, telnet , database conection. etc.
I have QPK and HWE of Mar 2004.
Can you help me, please.
0 Kudos
Reply
7 REPLIES 7
Sundar_7
Honored Contributor

‎07-15-2004 04:54 AM

‎07-15-2004 04:54 AM

Re: ICMP over

lower ICMP ? - you mean blocking it ? - ICMP has got some 8 control codes or functions - if you want to block only the ability of the other machines to ping your machines in the DMZ then you might want to only block the ICMP-Reply (I think the function code 8) and leave the rest of them unblocked.
Learn What to do ,How to do and more importantly When to do ?
0 Kudos
Reply
Jeff Schussele
Honored Contributor

‎07-15-2004 05:10 AM

‎07-15-2004 05:10 AM

Re: ICMP over

Hi Pedro,

This is most likely due to the default HP behavior of dead gateway detection. This is an ndd feature that will periodically send ICMP packets to the router & if not rec'd back the route is dropped from the routing table.

It can be disabled with an entry of
TRANSPORT_NAME[X]=ip
NDD_NAME[X]=ip_ire_gw_probe
NDD_VALUE=0
in the /etc/rc.config.d/nddconf file and a reboot or a network stop/start. Replace the "X" with an appropriate index value.

HTH,
Jeff
PERSEVERANCE -- Remember, whatever does not kill you only makes you stronger!
0 Kudos
Reply
Jeff Schussele
Honored Contributor

‎07-15-2004 05:12 AM

‎07-15-2004 05:12 AM

Re: ICMP over

Hi Pedro,

This is most likely due to the default HP behavior of dead gateway detection. This is an ndd feature that will periodically send ICMP packets to the router & if not rec'd back the route is dropped from the routing table.

It can be disabled with an entry of
TRANSPORT_NAME[X]=ip
NDD_NAME[X]=ip_ire_gw_probe
NDD_VALUE[X]=0
in the /etc/rc.config.d/nddconf file and a reboot or a network stop/start. Replace the "X" with an appropriate index value.

HTH,
Jeff
PERSEVERANCE -- Remember, whatever does not kill you only makes you stronger!
0 Kudos
Reply
Pedro Orellana C.
Occasional Contributor

‎07-15-2004 05:25 AM

‎07-15-2004 05:25 AM

Re: ICMP over

Thank you, but in my firewall i block ICMP, that is all code of ICMP. In DMZ sector i have 3 machine : two SUN and one HP-UX, only HP-ux is affected when ICMP is blocked.
0 Kudos
Reply
Ron Kinner
Honored Contributor

‎07-15-2004 05:29 AM

‎07-15-2004 05:29 AM

Re: ICMP over

I think you are running HPUX 10.3 or higher and you are running into Dead Gateway Detection when you shut off ICMP. HPUX pings the gateway periodically to make sure it is still alive. If the ping fails then it won't use the gateway.

You can prove it by:

ndd -set /dev/ip ip_ire_gw_probe 0


then shut off ICMP on your firewall. If that fixes your problem then edit

/etc/rc.config.d/nddconf to make it permanent.

TRANSPORT_NAME[0]=ip
NDD_NAME[0]=ip_ire_gw_probe
NDD_VALUE[0]=0

Ron

PS If it claims there is no such variable then you are missing a patch.
0 Kudos
Reply
Sundar_7
Honored Contributor

‎07-15-2004 05:36 AM

‎07-15-2004 05:36 AM

Re: ICMP over

Yeah, I think both the above posts are right on.

# ndd -get /dev/ip ip_ire_status

execute the above command see if you have DOWN status next to any of the routing entries. If yes then you can enable only ICMP-echo reply for the HP-UX server if you are skeptical in enabling all of the ICMP functions.
Learn What to do ,How to do and more importantly When to do ?
0 Kudos
Reply
Pedro Orellana C.
Occasional Contributor

‎07-15-2004 07:58 AM

‎07-15-2004 07:58 AM

Re: ICMP over

Thank you to all, thank you for all, that all ok.
0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.