I can’t find any port forwarding features in the default “Fire Wall” module. I did a GRC Port Scan and even though all my ports are closed, I still failed the “True Stealth” because my server is responding to the ICMP Ping Request.
So what module can I install that will give me true NAT features?
VcDeveloper1 wrote:
> I can’t find any port forwarding features in the default “Fire Wall”
> module.
It’s “Masquerading”
I did a GRC Port Scan and even though all my ports are closed,
> I still failed the “True Stealth” because my server is responding to the
> ICMP Ping Request.
Tell it to stop answering to ping:
sysctl -w net.ipv4.icmp_echo_ignore_all=1
Or you might want to slow down ping rates:
sysctl -w net.ipv4.icmp_echoreply_rate=10
>
> So what module can I install that will give me true NAT features?
>
>
Use masquerading
“Sunrise 8:46am (EET), sunset 3:28pm (EET) at Espoo, Finland (6:41 hours
daylight)”
http://waxborg.servepics.com
Linux 2.6.25.20-0.5-default #1 SMP 2009-08-14 01:48:11 +0200 x86_64
10:30am up 25 days 15:31, 10 users, load average: 0.46, 0.45, 0.40
Ooooooooooooooh! Thanks for your help!
To make it permanent, put it in /etc/sysctl.conf
net.ipv4.icmp_echo_ignore_all = 1
you may also consider disabling broadcasting too, though it may “break” some things. So far, I haven’t had a problem with it at all
net.ipv4.icmp_echo_ignore_broadcasts = 1
I’ve got other TCP/IP stack hardening tweaks in /etc/sysctl.conf 
Hey! Thanks for sharing your expertise! I appreciate it very much! As you can see I’m a “Student peguin”… So I’m here to learn more and more from you elite Penguin’s… 
VcDeveloper1 wrote:
> Hey! Thanks for sharing your expertise! I appreciate it very much! As
> you can see I’m a “Student peguin”… So I’m here to learn more
> and more from you elite Penguin’s…
>
>
Nice if the answers help you.
Still, I think stopping answering to ping makes no sense.
“Sunrise 8:46am (EET), sunset 3:28pm (EET) at Espoo, Finland (6:41 hours
daylight)”
http://waxborg.servepics.com
Linux 2.6.25.20-0.5-default #1 SMP 2009-08-14 01:48:11 +0200 x86_64
9:41pm up 26 days 2:42, 11 users, load average: 0.49, 0.42, 0.46
it will make sense when they send you a ping flood or a ping of death, though the latter is almost extinct
Season engineers knows best! That’s why I like hanging around them!
I think some people misinterpret the term stealth mode, as if turning off ICMP echo responses would make them invisible on the Net. Sorry, but your IP address is all over the Internet, in web browser logs. Neither will it protect you from port scans or ssh crack attempts, malware just go ahead and scan without checking ping results.
It’s useful to have on when you want to check if your connection is working from the outside, but people seldom have to do that, so it’s ok to turn it off too.
Just pointing out that either having it on or off isn’t such a big issue. There are more serious issues than this.
microchip8 wrote:
> Vahis;2076262 Wrote:
>> VcDeveloper1 wrote:
>>> Hey! Thanks for sharing your expertise! I appreciate it very much! As
>>> you can see I’m a “Student peguin”… So I’m here to learn
>> more
>>> and more from you elite Penguin’s…
>>>
>>>
>> Nice if the answers help you.
>> Still, I think stopping answering to ping makes no sense.
>
> it will make sense when they send you a ping flood or a ping of death,
> though the latter is almost extinct
Slowing it down will prevent floods.
But whatever, do it if you wish.
“Sunrise 8:49am (EET), sunset 3:26pm (EET) at Espoo, Finland (6:37 hours
daylight)”
http://waxborg.servepics.com
Linux 2.6.25.20-0.5-default #1 SMP 2009-08-14 01:48:11 +0200 x86_64
6:13am up 26 days 11:14, 11 users, load average: 0.55, 1.71, 1.13