From Adrian on Tue, 21 Mar 2000
I was just wondering how I could shutdown the ping daemon. I have looked in inetd.conf and most of the other startup scripts..yet no avail. Can you help?
I presume you want to prevent your system from responding to a 'ping' command.
The 'ping' command generates "ICMP echo request" packets (ICMP is the "internet control messaging protocol"). There is no daemon that generates the ICMP echo replies. Those are generated by your kernel.
To prevent your system from responding to them you could simply use ipfwadm or ipchains --- adding a rule to your Linux kernel's packet filtering tables. Obviously you must have the corresponding kernel features enabled (most recent distributions ship with ipfwadm/ipchains features enabled, so this is a no-brainer for most of us).
Here's a rule to prevent your system from sending ICMP echo replies:
ipchains -A output -p icmp --icmp-type pong -j DENY
(Note: Rusty seems to have included a pun/alias here --- "pong" can be used instead of the longer "echo-reply" keyword option to the --icmp-type switch).
This particular example requires a 2.2 kernel. 2.0 kernels use the ipfwadm command something like:
ipfwadm -I -a deny -P icmp -S 0.0.0.0/0 0
This is a bit more cryptic. The -P icmp sets the protocol, which modifies the way that the -S (source address) pattern is interpreted. Normally a source address pattern for ipfwadm consists of a "dotted quad" network or host number, optionally followed by a "/ significant bits" modifier and optionally followed by a list of ports (TCP or UDP, according to the protocol). However, when the protocol is ICMP the this last component of the address pattern is interpreted as a numeric ICMP type.
According to RFC 792 (the "request for comments" document that covers the "Internet Control Message Protocol") the echo reply ICMP packet is of type 8. According to the 'ipfwadm' man page the ICMP type can only be used with the -S option, it can't be used with -D (destination) address patterns.
Anyway, it's not necessary a good idea to block ICMP echo replies and it's definitely a BAD idea to blindly block all ICMP traffic. (In particular blocking things like "destination unreachable" and "fragmentation needed when DF option set" will cause problems for your systems when they are trying to engage in legitimate TCP/IP communications).
I really suggest reading the IPChains HOWTO (perhaps starting with a "serious example":
... before you implement any of these rules.
Incidentally, note that IPChains will probably be phased out of future kernels in favor of the Netfilter (IPTables) architecture that's now being integrated into 2.3.x for inclusion into 2.4. Hopefully this will settle down the kernel packet filtering code for awhile.
Over the years we've gone through ipfw (1.2), ipfwadm (2.0), ipchains (2.2) and now iptables/ipnatctl (2.4). These have each been major improvements over the last. However -- it is a bit of a disruption for us poor sysadmins in the field. Luckily netfilter supports a modular approach allowing the actual filtering to be down by ipfwadm or ipchains "compatibility" modules. Hopefully the future enhancements and netfilter modules can be deployed without much disruption to those who need to upgrade a kernel for reasons other than their packet filters.