shb-firewall should take into account that the following kernel options are activated in shb-kernel: /proc/sys/net/ipv4/icmp_echo_ignore_all /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts. Therefore the paragraph about blocking all ICMP packages in shb-firewall should take this into account, since it tells the user to utilize the ping command. This issue was reported by a user named eques to the German docs-team.
The only mention of "ping" command in this chapter is a test of the about proc changes. Could you (or the user reporting the problem) elaborate more on it? Otherwise i'll just have to mark it as INVALID.
Correct, in this chapter there is no other mentioning of ping, but in a previous chapter of the security handbook 'shb-kernel.xml' the user is given the option of disabling ping via icmp_echo_ignore_all and is told about various possible outcomes. The user that first voted for an additional notice is referring to this and tries to convey the notion that ping wouldn't have worked even before disabling icmp packages via iptables at this point if a user had followed the previous instructions. I'll try to contact the user originally reporting the issue to confirm or deny whether I got the point here or not.
Jan Hendrik, what you write is correct. I think that it is a small prob, but i spend a lot of time to find this ignore bit in the /proc filesystem. A newbie follow the description in the book. Later it is not possible for him/her to find out the reason. (In reply to comment #2) > Correct, in this chapter there is no other mentioning of ping, but in a > previous chapter of the security handbook 'shb-kernel.xml' the user is given > the option of disabling ping via icmp_echo_ignore_all and is told about various > possible outcomes. The user that first voted for an additional notice is > referring to this and tries to convey the notion that ping wouldn't have worked > even before disabling icmp packages via iptables at this point if a user had > followed the previous instructions. > I'll try to contact the user originally reporting the issue to confirm or deny > whether I got the point here or not. >
It's rather obvious that if you turn off ICMP in your sysctl/proc, ICMP packets won't be flowing all over the place. Please note also that people are discouraged to use this setting in shb-kernel chapter. On the other hand, in shb-firewall, ping/icmp is used only as an example how to block basing on a protocol, not as a suggested configuration option. So, you shouldn't set any of them up at all.