I am trying to disable ICMP services. For this the following configuration lines have been added into the /etc/sysctl.conf file
net.ipv4.icmp_echo_ignore_all = 1
net.ipv4.icmp_echo_ignore_broadcasts = 1
net.ipv4.tcp_timestamps = 0After these changes the command sudo sysctl -p is executed. After this I execute the command cat cat /proc/sys/net/ipv4/icmp_echo_ignore_all and the output that I get is 1. Post this no ping requests are responded back. For example the following commands ping localhost results in the output
PING localhost (127.0.0.1) 56(84) bytes of data.
--- localhost ping statistics ---
4 packets transmitted, 0 received, 100% packet loss, time 3071msHowever the problem starts when I reboot or shutdown -- restart. After the desktop boots up the value of the parameter icmp_echo_ignore_all changes to 0(numerical zero). The output of the command cat /proc/sys/net/ipv4/icmp_echo_ignore_all is 0 (numerical zero). I can ping the desktop from across my network and also ping using localhost.
So how do I resolve this issue? How do I get to stop the ICMP services? Is there something extra that I have to do to get the configuration specified in /etc/sysctl.conf in getting picked up?
My OS is xbuntu 16.04.6 LTS running on kernel 4.15.0-65-generic
1 Answer
I experienced the same problem when using UFW and eventually by chance found that net.ipv4.icmp_echo_ignore_all is explicitly set to zero in /etc/ufw/sysctl.conf, apparently overriding the setting in /etc/sysctl.conf.
Updating the offending line in /etc/ufw/sysctl.conf resolved the problem.
