We got hit by the blaster virus and in an attempt to cut down on network traffic the
network guys turned off ICMP. All of my
HP-UX 11.11 systems totally chocked.
I could not get to them from any other vlan
other than the one they were on. Also NFS
mounts hung even if on the same vlan. We have alpha servers "tru64 5.something" and they ran just fine. My question is, is ICMP required for HP-UX networking. And if not what would I
need to configure in its absence. Just in case this happens again.
TIA
and points to all
Note: If you are the author of this question and wish to assign points to any of the answers, please login first.For more information on assigning points ,click
here
Yes it is in it's default config.
It uses pings (ICMP based of course) to detect dead gateways & since ICMP is disabled, the systems think they have no gateways - hence no traffic beyond their subnets. Choke...choke..hack..hack...uuuggghhh.
The dead-gateway detection is configured in /etc/rc.config.d/nddconf, I believe. Turn it off & it should keep on aroutin.
Turning off all ICMP is just using a hammer to solve a problem that requires a bit more finesse.
TCP/IP expects certain ICMP messages to be available. In particular, ICMP echo (Ping), source-quench, dest. unreachable and ttl-exceeded should always be enabled for proper network operation. For your internal net you may want to enable others such as traceroute and/or router adv..
Did the network guys warn you or just turn off icmp.
Lots of things can be broken by a shoot from the hip aproach to virus control. Better preparation and virus protection would have negated the need for such measures.
I recommend a few other wellness checks just to make sure all is well.
If your server has a DNS server, make sure that remote clients can still resolve DNS requests in this environment.
I imagine traceroute is dead too, but you should check it.
If your server has an httpd server, you will need to try and connect to it from outside your subnet and make sure it can tolerate the environment. I kept trying to turn off icmp on my firewalls for my web hosting business, and ultimately gave up, because DNS and httpd (it was probably dns) would not function under those conditions. I'm still working on a way to make it happen. You should not need to ping the server to do dns and httpd pages.
As Jeff noted, most everything else should be okay once ndd is reconfigured to work without icmp.
The following thread MAY provide you a procedure to implement Jeff's change.
Did the network guys warn you or just turn off icmp.
Lots of things can be broken by a shoot from the hip aproach to virus control. Better preparation and virus protection would have negated the need for such measures.
I recommend a few other wellness checks just to make sure all is well.
If your server has a DNS server, make sure that remote clients can still resolve DNS requests in this environment.
I imagine traceroute is dead too, but you should check it.
If your server has an httpd server, you will need to try and connect to it from outside your subnet and make sure it can tolerate the environment. I kept trying to turn off icmp on my firewalls for my web hosting business, and ultimately gave up, because DNS and httpd (it was probably dns) would not function under those conditions. I'm still working on a way to make it happen. You should not need to ping the server to do dns and httpd pages.
As Jeff noted, most everything else should be okay once ndd is reconfigured to work without icmp.
The following thread MAY provide you a procedure to implement Jeff's change.
1. netstat -rn (pick up your gateway from the default column)
2. route delete default <ip of the default gateway>
3. netstat -rn (you should not see the gateway now)
4. ndd -set /dev/ip ip_ire_gw_probe 0
(this will make sure that your host will not ping the router (which it will do otherwise every 5 minutes))
now set the default gateway back as hop 1
5. route add default <ip of the default gateway> 1
(note the 1)
6. netstat -rn (you should be able to see the gateway again)
Now you should be able to reach the network.
To make these changes permanent edit the /etc/rc.config.d/nddconf file and replace the last three lines with the above parameters.
I didn???t find out there was a problem until
An end user tried to access one of the systems.
Fortunately the virus is gone and ICMP is back on.
Also the systems were for development and training.
However we are getting ready to move our production
Server from tru64 to hp-ux and as you all know
Production servers can never be down. Had we already
Made the switch I???d been scrambling. Now I at least
Know how to handle the situation and could reconfigure
Before the network changes take place.
I have further reason to suspect Bastille in this case.
I just checked my educational D320 at home.
It has that feature set on.
Every relavent patch on my 11.11 systems at work is on that system. I've not been able to run Bastille in a satisfactory way and backed out the changes.
Again, just more info, no points necessary. I should have thought of this before my last post. Doh!
Also look at the ip_pmtu_strategy settings--we've seen route flapping with ip_pmtu_strategy=1 when ICMP gets turned off, resulting in packets getting sent incorrectly to the default route, which often has ingress filters and regards the packets as spoofed when it tries to loop them back out, and drops them. If the server is "Internet facing", ip_pmtu_strategy=2 is ok, if not, you probably don't need pmtu and can set it to 0.
Printable version
