When I try to ping the broadcast address on my LAN, it shows ICMP replies from only 3 hosts, everytime, even though there many hosts connected to the LAN.
For the broadcast address, I did
$ifconfig eth0
eth0 Link encap:Ethernet HWaddr 00:1b:38:09:0b:26
inet addr:172.30.120.152 Bcast:172.30.127.255 Mask:255.255.248.0
inet6 addr: fe80::21b:38ff:fe09:b26/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:831096 errors:0 dropped:0 overruns:0 frame:0
TX packets:13022 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:66620362 (66.6 MB) TX bytes:3099025 (3.0 MB)
Interrupt:21 Base address:0x2000
I used the Bcast addr 172.30.127.255 to ping everyone...
$ping -b 172.30.127.255
WARNING: pinging broadcast address
PING 172.30.127.255 (172.30.127.255) 56(84) bytes of data.
64 bytes from 172.30.120.1: icmp_seq=1 ttl=255 time=0.809 ms
64 bytes from 172.30.120.62: icmp_seq=1 ttl=64 time=1.06 ms (DUP!)
64 bytes from 172.30.120.50: icmp_seq=1 ttl=255 time=3.97 ms (DUP!)
64 bytes from 172.30.120.1: icmp_seq=2 ttl=255 time=0.364 ms
64 bytes from 172.30.120.62: icmp_seq=2 ttl=64 time=0.412 ms (DUP!)
64 bytes from 172.30.120.50: icmp_seq=2 ttl=255 time=1.48 ms (DUP!)
64 bytes from 172.30.120.1: icmp_seq=3 ttl=255 time=0.452 ms
64 bytes from 172.30.120.62: icmp_seq=3 ttl=64 time=0.506 ms (DUP!)
64 bytes from 172.30.120.50: icmp_seq=3 ttl=255 time=1.64 ms (DUP!)
Why is that only 3 hosts respond to my ping. Is this bcast address given by ifconfig not the one to be used?
I think this might be the reason why I am not able to carry out an amplification attack on a system on my LAN. I injected ICMP-echo packets with spoofed source address of my friend's host
and sent it to this broadcast address, and was disappointed to see that his bandwidth was not affected...
Kindly explain...
Some hosts simply don't respond to broadcast pings (for example, Windows is configured by default this way).
Because in example some implementations work by sending the broadcast to the preferred interface, not all of them. You need a relay to send to all interfaces. You may consider reading the RFC 919
Related
I haven't been able to solve this problem for a few days, I've followed millions of tutorials online but I couldn't find anything about it.
I have an EC2 instance that has as private ip: 172.31.27.40.
I have only one VPC (the default one, with 3 subnets).
This is my SG:
On prem I have ip address (public): 1.2.3.4.
I created a customer-gateway (with on-prem public ip), a virtual-private-gateway (to which I attached the vpc) and the site-to-site connection.
My 2 tunnels are UP , in Static-Routes I added 192.168.0.0/24 (my on prem subnet).
I am using the aws-updown.sh script in the ipsec configuration.
My ipsec config:
conn Tunnel1
auto=start
left=%defaultroute
leftid=1.2.3.4
right=(Outside IP address Tunn1)
type=tunnel
leftauth=psk
rightauth=psk
keyexchange=ikev1
ike=aes128-sha1-modp1024
ikelifetime=8h
esp=aes128-sha1-modp1024
lifetime=1h
keyingtries=%forever
leftsubnet=192.168.0.0/24
rightsubnet=172.31.0.0/16
dpddelay=10s
dpdtimeout=30s
dpdaction=restart
## Please note the following line assumes you only have two tunnels in your Strongswan configuration file. This "mark" value must be unique and may need to be changed based on other entries in your configuration file.
mark=499
## Uncomment the following line to utilize the script from the "Automated Tunnel Healhcheck and Failover" section. Ensure that the integer after "-m" matches the "mark" value above, and <VPC CIDR> is replaced with the CIDR of your VPC
## (e.g. 192.168.1.0/24)
leftupdown="/usr/local/sbin/ipsec-notify.sh -ln Tunnel1 -ll *******/30 -lr ******/30 -m 499 -r 172.31.0.0/16"
This is my route table:
From EC2:
[root#ip-***** ec2-user]# ping 192.168.0.58
PING 192.168.0.58 (192.168.0.58) 56(84) bytes of data.
64 bytes from 192.168.0.58: icmp_seq=1 ttl=64 time=7.82 ms
64 bytes from 192.168.0.58: icmp_seq=2 ttl=64 time=7.84 ms
64 bytes from 192.168.0.58: icmp_seq=3 ttl=64 time=7.76 ms
64 bytes from 192.168.0.58: icmp_seq=4 ttl=64 time=10.8 ms
From On prem:
root#****:/home/utente# ping 172.31.27.40
PING 172.31.27.40 (172.31.27.40) 56(84) bytes of data.
From 169.254.**** icmp_seq=1 Destination Host Unreachable
From 169.254.**** icmp_seq=2 Destination Host Unreachable
From 169.254.**** icmp_seq=3 Destination Host Unreachable
From 169.254.**** icmp_seq=4 Destination Host Unreachable
Can you help me?
I am using Netperf tool to benchmark throughput and latency between two VM which have private IP 10.0.1.3 and 10.0.1.13.
VM 10.0.1.13
eth0 Link encap:Ethernet HWaddr 02:3d:b2:f5:33:95
inet addr:10.0.1.13 Bcast:10.0.1.255 Mask:255.255.255.0
inet6 addr: fe80::3d:b2ff:fef5:3395/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1450 Metric:1
RX packets:514888981 errors:0 dropped:0 overruns:0 frame:0
TX packets:654103302 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:1164689163796 (1.1 TB) TX bytes:1060437004684 (1.0 TB)
VM 10.0.1.3
eth0 Link encap:Ethernet HWaddr 02:91:51:fa:03:08
inet addr:10.0.1.3 Bcast:10.0.1.255 Mask:255.255.255.0
inet6 addr: fe80::91:51ff:fefa:308/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1450 Metric:1
RX packets:2111769 errors:0 dropped:0 overruns:0 frame:0
TX packets:1936716 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:44230395762 (44.2 GB) TX bytes:663995366 (663.9 MB)
I make VM 10.0.1.3 become server listen in port 12001 using the following command:
netserver -d -L 10.0.1.3 -p 12001 -4
After that, I run Netperf test from VM 10.0.1.13 with the following command:
netperf -d -H 10.0.1.3 -p 12001 -t TCP_STREAM
The connection and test running as expected but I always get value of throughput is 0:
calculate_confidence: itr 1; time 10.000263; res 0.000000
lcpu -1.000000; rcpu -1.000000
lsdm -1.000000; rsdm -1.000000
Recv Send Send
Socket Socket Message Elapsed
Size Size Size Time Throughput
bytes bytes bytes secs. 10^6bits/sec
87380 16384 16384 10.00 0.00
Similar to the TCP_RR test, I also received the 0 value in the Trans.Rate per sec.
calculate_confidence: itr 1; time 10.000262; res 0.000000
lcpu -1.000000; rcpu -1.000000
lsdm -1.000000; rsdm -1.000000
Local /Remote
Socket Size Request Resp. Elapsed Trans.
Send Recv Size Size Time Rate
bytes Bytes bytes bytes secs. per sec
16384 87380 1 1 10.00 0.00
16384 87380
I see a similar topic that related to this question, but I can not find the answer in this topic: Netperf reporting zero throughput
So, does anyone has some idea about this result.
Thanks in advance for reading my question, I hope I can find something to debug.
A netperf test has two "connections." The first is the "control connection" over which information about the test setup and result is exchanged. For the benchmarking itself a "data connection" is used. The control connection will use the control port you've specified with the global "-p" option. The data connection will by default use a port number chosen by the networking stack where the netserver runs.
Both have to be open through firewalls for a test to be successful.
If only the control port is open, you will see the test banners get displayed because the control connection is established. Since the data connection cannot be established, that will report zero.
You can specify an explicit port number for the data connection with a test-specific "-P" option. So, if you opened a second port number, 12002, you would start the netserver as before, and then your netperf command would become:
netperf -d -H 10.0.1.3 -p 12001 -t TCP_STREAM -- -P ,12002
That comma is important. The test-specific -P option allows specifying both the local and remote port numbers for the data connection. The remote port number follows a comma.
I was trying to ping some websites from my laptop but every time i got response from my wifi router.
But When I Connect My Cellphone with the same router ping and other thing works fine.
By pinging Google (from my laptop) I got the following output:
PING google.com.ib-wrb304n.setup.in (192.168.2.1) 56(84) bytes of data.
64 bytes from _gateway (192.168.2.1): icmp_seq=1 ttl=64 time=3.10 ms
64 bytes from _gateway (192.168.2.1): icmp_seq=2 ttl=64 time=8.29 ms
64 bytes from _gateway (192.168.2.1): icmp_seq=3 ttl=64 time=11.9 ms
64 bytes from _gateway (192.168.2.1): icmp_seq=4 ttl=64 time=8.54 ms
64 bytes from _gateway (192.168.2.1): icmp_seq=5 ttl=64 time=8.56 ms
64 bytes from _gateway (192.168.2.1): icmp_seq=6 ttl=64 time=7.82 ms
64 bytes from _gateway (192.168.2.1): icmp_seq=7 ttl=64 time=8.52 ms
64 bytes from _gateway (192.168.2.1): icmp_seq=8 ttl=64 time=8.42 ms
64 bytes from _gateway (192.168.2.1): icmp_seq=9 ttl=64 time=8.45 ms
also all apt requests failing due to this.
but if i connect my laptop to my cellphone's wifi it works fine.
i've tried reinstalling my os also by downloading fresh iso files.
But Nothing Seems To Work
It looks like it has no GW, so it arps for Google, the router replies with it's MAC via proxy ARP, and then to the pings. Check your config, arp cache and ISP.
Basically, if you clear the arp cache and then ping google, only the GW ARP entry should re-appear. (first close your browser and all other connections, of course) EXAMPLE:
Mac_3.2.57$sudo arp -d -a
10.0.0.14 (10.0.0.14) deleted
10.0.0.229 (10.0.0.229) deleted
10.0.0.255 (10.0.0.255) deleted
224.0.0.251 (224.0.0.251) deleted
239.255.255.250 (239.255.255.250) deleted
Mac_3.2.57$arp -a
Mac_3.2.57$ping google.com
PING google.com (172.217.165.142): 56 data bytes
64 bytes from 172.217.165.142: icmp_seq=0 ttl=57 time=20.942 ms
64 bytes from 172.217.165.142: icmp_seq=1 ttl=57 time=21.516 ms
64 bytes from 172.217.165.142: icmp_seq=2 ttl=57 time=20.725 ms
64 bytes from 172.217.165.142: icmp_seq=3 ttl=57 time=19.750 ms
^C
--- google.com ping statistics ---
4 packets transmitted, 4 packets received, 0.0% packet loss
round-trip min/avg/max/stddev = 19.750/20.733/21.516/0.637 ms
Mac_3.2.57$arp -a
? (10.0.0.1) at 5c:76:95:eb:28:43 on en0 ifscope [ethernet]
Mac_3.2.57$
When I enter localhost:8000 in my Chrome browser, it redirects to localhost and gives me the ol' "This site can’t be reached - localhost refused to connect."
Going to localhost:8000/wp-admin and localhost:8000/services both work fine.
I am using Docker-Wordpress-Compose.
Here is my hosts file:
127.0.0.1 localhost
255.255.255.255 broadcasthost
::1 localhost
Here is what I get when I ping localhost
PING localhost (127.0.0.1): 56 data bytes
64 bytes from 127.0.0.1: icmp_seq=0 ttl=64 time=0.042 ms
64 bytes from 127.0.0.1: icmp_seq=1 ttl=64 time=0.013 ms
64 bytes from 127.0.0.1: icmp_seq=2 ttl=64 time=0.038 ms
64 bytes from 127.0.0.1: icmp_seq=3 ttl=64 time=0.057 ms
64 bytes from 127.0.0.1: icmp_seq=4 ttl=64 time=0.049 ms
And when I ping localhost:8000
ping: cannot resolve localhost:8000: Unknown host
First do a netstat -pluton to show your open ports, if you don't see your 8000 port maybe it's because you didn't open it with run -d --link database:database -p 8000:8080 wordpress, did you try with localhost:8000/wordpress ? And check in your apache2.conf if you're allowed to connect.
Closed. This question does not meet Stack Overflow guidelines. It is not currently accepting answers.
This question does not appear to be about a specific programming problem, a software algorithm, or software tools primarily used by programmers. If you believe the question would be on-topic on another Stack Exchange site, you can leave a comment to explain where the question may be able to be answered.
Closed 7 years ago.
Improve this question
Summary
I am currently working on a three interface software firewall using Shorewall 4.5.5.3 on Debian Wheezy, and I'm having some difficulty with the loc (eth2) and dmz (eth1) interfaces. The fw (eth0) interface seems to be working just fine, but I cannot ping PCs on loc or dmz zones. There is likely something wrong with my /etc/network/interfaces setup in the network.
The fw interface runs on dhcp through my ISP, and I configured the loc and dmz interfaces and PCs inside those zones with static IPs. The configuration that I'm trying to use is the three-interface and single IP configuration. The reference document is located on the Shorewall website, "Three-Interface Firewall". I don't know what to do about a gateway on eth1 or eth2 interfaces, b/c the Shorewall docs don't explain that. I assume it would be the same gateway as eth0, but I don't know how to do that since eth0 is on dhcp.
Networking
/etc/network/interfaces for firmware node:
# The loopback network interface
auto lo
iface lo inet loopback
# The primary network interface
auto eth0
iface eth0 inet dhcp
# Secondary network interface for dmz
auto eth1
iface eth1 inet static
address 10.10.1.1/24
netmask 255.255.255.0
# Tirtirary network interface for loc
auto eth2
iface eth2 inet static
address 10.10.2.1/24
netmask 255.255.255.0
/etc/network/interfaces for dmz
# dmz network interface
auto eth0
iface eth0 inet static
address 10.10.1.2/24
netmask 255.255.255.0
gateway 10.10.1.1
Starting with just the dmz, is there something wrong with my network interfaces setup?
This is what happens when i restart my networking:
Listening on LPF/eth0/HEX:...:...
Sending on LPF/eth0/HEX:...:...
Sending on Socket/fallback
DHCPDISCOVER on eth0 to 255.255.255.255 port 67 interval 6
DHCPREQUEST on eth0 to 255.255.255.255 port 67
DHCPOFFER from XY.IP...
DHCPACK from XY.IP...
suspect value in ^1/7078C526/res-5000-2.0 option - discarded
suspect value in ^1/FBEA1017/res-5000-2.0 option - discarded
bound to NEW.IP... -- renewal in 33594 seconds.
done.
I don't understand the "suspect .... - discarded" lines. Does this indicate a problem, or are those potential IPs that are being rejected?
These are the results of ifconfig:
eth0 Link encap:Ethernet HWaddr MAC
inet addr:DHCP.IP Bcast:DHCP.BC Mask:DHCP.M
inet6 addr: inet6.IP Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:268607 errors:0 dropped:0 overruns:0 frame:0
TX packets:89830 errors:0 dropped:0 overruns:0 carrier:7
collisions:0 txqueuelen:1000
RX bytes:25066229 (23.9 MiB) TX bytes:10734393 (10.2 MiB)
Interrupt:17
eth1 Link encap:Ethernet HWaddr c0:4a:00:03:00:04
inet addr:10.10.1.1 Bcast:10.10.1.255 Mask:255.255.255.0
inet6 addr: fe80::c24a:ff:fe03:4/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:82 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:0 (0.0 B) TX bytes:4664 (4.5 KiB)
Interrupt:19 Base address:0xac00
eth2 Link encap:Ethernet HWaddr c0:4a:00:07:6a:31
inet addr:10.10.2.1 Bcast:10.10.2.255 Mask:255.255.255.0
inet6 addr: fe80::c24a:ff:fe07:6a31/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:48 errors:0 dropped:0 overruns:0 frame:0
TX packets:33 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:2880 (2.8 KiB) TX bytes:2578 (2.5 KiB)
Interrupt:16 Base address:0xe800
lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
inet6 addr: ::1/128 Scope:Host
UP LOOPBACK RUNNING MTU:16436 Metric:1
RX packets:41 errors:0 dropped:0 overruns:0 frame:0
TX packets:41 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:4592 (4.4 KiB) TX bytes:4592 (4.4 KiB)
Shorewall settings
interfaces
net eth0 tcpflags,dhcp,nosmurfs,routefilter,logmartians,sourceroute=0
dmz eth1 tcpflags,nosmurfs,routefilter,logmartians
loc eth2 tcpflags,nosmurfs,routefilter,logmartians
masq
eth0 10.10.1.0/24
eth0 10.10.2.0/24
params
ETH0_IP=$(find_first_interface_address eth0)
policy
loc net ACCEPT
net all DROP info
# THE FOLLOWING POLICY MUST BE LAST
all all REJECT info
routestopped
eth1 -
eth2 -
rules
SECTION NEW
# Don't allow connection pickup from the net
Invalid(DROP) net all
# Accept DNS connections from the firewall to the Internet
DNS(ACCEPT) $FW net
# Accept SSH connections from the local network to the firewall and DMZ
SSH(ACCEPT) loc $FW
SSH(ACCEPT) loc dmz
# DMZ DNS access to the Internet
DNS(ACCEPT) dmz net
# Drop Ping from the "bad" net zone.
Ping(DROP) net $FW
# Make ping work bi-directionally between the dmz, net, Firewall and local zone
# (assumes that the loc-> net policy is ACCEPT).
Ping(ACCEPT) loc $FW
Ping(ACCEPT) dmz $FW
Ping(ACCEPT) loc dmz
Ping(ACCEPT) dmz loc
Ping(ACCEPT) dmz net
Ping(ACCEPT) loc net
ACCEPT $FW net icmp
ACCEPT $FW loc icmp
ACCEPT $FW dmz icmp
# Allow connection to web server from loc to dmz
DNAT loc dmz:10.10.1.2 tcp - 80,443 $ETH0_IP
# Allow DNS connection to internal server from net
DNS(ACCEPT) loc dmz:10.10.1.3
DNS(ACCEPT) $FW dmz:10.10.1.3
DNS(ACCEPT) loc dmz:10.10.1.4
DNS(ACCEPT) $FW dmz:10.10.1.4
# Allow SMTPS traffic to internal server from net
SMTPS(ACCEPT) dmz:10.10.1.2 $FW
POP3S(ACCEPT) $FW dmz:10.10.1.2
# Allow SSH and SFTP on web server
SSH(ACCEPT) $FW dmz:10.10.1.2
SSH(ACCEPT) net $FW
shorewall.conf
# Only change in this file:
IP_FORWARDING=On
zones
fw firewall
net ipv4
loc ipv4
dmz ipv4
shorewall check
Checking...
Processing /etc/shorewall/params ...
Processing /etc/shorewall/shorewall.conf...
Loading Modules...
Checking /etc/shorewall/zones...
Checking /etc/shorewall/interfaces...
Determining Hosts in Zones...
Locating Action Files...
Checking /usr/share/shorewall/action.Drop for chain Drop...
Checking /usr/share/shorewall/action.Broadcast for chain Broadcast...
Checking /usr/share/shorewall/action.Invalid for chain Invalid...
Checking /usr/share/shorewall/action.NotSyn for chain NotSyn...
Checking /usr/share/shorewall/action.Reject for chain Reject...
Checking /etc/shorewall/policy...
Adding Anti-smurf Rules
Adding rules for DHCP
Checking TCP Flags filtering...
Checking Kernel Route Filtering...
Checking Martian Logging...
Checking Accept Source Routing...
Checking /etc/shorewall/masq...
Checking MAC Filtration -- Phase 1...
Checking /etc/shorewall/rules...
Checking /usr/share/shorewall/action.Invalid for chain %Invalid...
Checking MAC Filtration -- Phase 2...
Applying Policies...
Checking /etc/shorewall/routestopped...
Shorewall configuration verified
shorewall start
Compiling...
Processing /etc/shorewall/params ...
Processing /etc/shorewall/shorewall.conf...
Loading Modules...
Compiling /etc/shorewall/zones...
Compiling /etc/shorewall/interfaces...
Determining Hosts in Zones...
Locating Action Files...
Compiling /usr/share/shorewall/action.Drop for chain Drop...
Compiling /usr/share/shorewall/action.Broadcast for chain Broadcast...
Compiling /usr/share/shorewall/action.Invalid for chain Invalid...
Compiling /usr/share/shorewall/action.NotSyn for chain NotSyn...
Compiling /usr/share/shorewall/action.Reject for chain Reject...
Compiling /etc/shorewall/policy...
Adding Anti-smurf Rules
Adding rules for DHCP
Compiling TCP Flags filtering...
Compiling Kernel Route Filtering...
Compiling Martian Logging...
Compiling Accept Source Routing...
Compiling /etc/shorewall/masq...
Compiling MAC Filtration -- Phase 1...
Compiling /etc/shorewall/rules...
Compiling /usr/share/shorewall/action.Invalid for chain %Invalid...
Compiling MAC Filtration -- Phase 2...
Applying Policies...
Generating Rule Matrix...
Creating iptables-restore input...
Compiling /etc/shorewall/routestopped...
Shorewall configuration compiled to /var/lib/shorewall/.start
Starting Shorewall....
Initializing...
Setting up Route Filtering...
Setting up Martian Logging...
Setting up Accept Source Routing...
Setting up Traffic Control...
Preparing iptables-restore input...
Running /sbin/iptables-restore...
IPv4 Forwarding Enabled
done.
Ping
in fw terminal: ping 10.10.1.2
PING 10.10.1.2 (10.10.1.2) 56(84) bytes of data.
From 10.10.1.1 icmp_seq=1 Destination Host Unreachable
From 10.10.1.1 icmp_seq=2 Destination Host Unreachable
From 10.10.1.1 icmp_seq=3 Destination Host Unreachable
in dmz terminal: ping 10.10.1.1
connect: network not reachable
I don't know what is missing/wrong. Any help would be appreciated.
Solution
I found an answer to my problem, and it was the network configuration on the dmz. The dmz is on a Dell Power Edge 1950, where I'm running the hardware node on 10.10.1.2/24, and a venet0, virtual node for OpenVZ. I was not concerned about connecting to the OpenVZ nodes just yet, but could not even connect to the hardware node. After modifying the networking information and removing the CIDR addition of /24, everything fell into place. I run CentOS 6.5 on the hardware node, and I guess it doesn't like CIDR addressing.
I am now pinging the dmz from fw, so the gateway is open, happy days:
> ping 10.10.2.1
PING 10.10.2.1 (10.10.2.1) 56(84) bytes of data.
64 bytes from 10.10.2.1: icmp_req=1 ttl=64 time=0.056 ms
64 bytes from 10.10.2.1: icmp_req=2 ttl=64 time=0.027 ms
64 bytes from 10.10.2.1: icmp_req=3 ttl=64 time=0.026 ms
64 bytes from 10.10.2.1: icmp_req=4 ttl=64 time=0.025 ms
Summary
The configuration is solid, so I hope it helps someone else setting up a Shorewall interface.