WWW, telnet, everything works. Except ping.

I know other newbies must be having this problem, but I can't find
their posts: Though my internet connection works flawlessly, I can't
get ping to ping anything but my own machine. I am trying to set up a
LAN, and this keeps throwing me off.

I'm on SuSE 8.2. I have a working dialup connection to the internet
using wvdial. WWW, telnet, traceroute, and I'm sure lots of other
things all work fine. But ping keeps returning the standard "Dest
Unreachable, Bad Code: 9." I can successfully ping myself by pinging
localhost, my internet IP, and my ethernet IP, and ping even
successfully uses my ISP's nameserver to resolve outside IP's. But I
can't ping the internet, or LAN IP's.

When I do "tcpdump -i eth0" and ping 216.239.57.99 (google.com), it
looks like this:

17:44:03.918110 64.24.114.62 > 216.239.57.99: icmp: echo request (DF)
17:44:04.052773 64.24.112.2 > 64.24.114.62: icmp: net 216.239.57.99
unreachable - admin prohibited

What does "admin prohibited" mean? The response is the same for every
internet ping i've tried. My route -n looks like this:

Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref
Use Iface
64.24.112.2 0.0.0.0 255.255.255.255 UH 0 0
0 ppp0
192.168.0.0 0.0.0.0 255.255.255.0 U 0 0
0 eth0
0.0.0.0 64.24.112.2 0.0.0.0 UG 0 0
0 ppp0


Hopefully someone with more than my week's experience with this
operating system will know the answer immediately.

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Patrick wrote:

> I know other newbies must be having this problem, but I can't find
> their posts: Though my internet connection works flawlessly, I can't
> get ping to ping anything but my own machine. I am trying to set up a
> LAN, and this keeps throwing me off.
>
> I'm on SuSE 8.2. I have a working dialup connection to the internet
> using wvdial. WWW, telnet, traceroute, and I'm sure lots of other
> things all work fine. But ping keeps returning the standard "Dest
> Unreachable, Bad Code: 9." I can successfully ping myself by pinging
> localhost, my internet IP, and my ethernet IP, and ping even
> successfully uses my ISP's nameserver to resolve outside IP's. But I
> can't ping the internet, or LAN IP's.
>
> When I do "tcpdump -i eth0" and ping 216.239.57.99 (google.com), it
> looks like this:
>
> 17:44:03.918110 64.24.114.62 > 216.239.57.99: icmp: echo request (DF)
> 17:44:04.052773 64.24.112.2 > 64.24.114.62: icmp: net 216.239.57.99
> unreachable - admin prohibited
>
> What does "admin prohibited" mean? The response is the same for every
> internet ping i've tried. My route -n looks like this:
>
> Kernel IP routing table
> Destination Gateway Genmask Flags Metric Ref
> Use Iface
> 64.24.112.2 0.0.0.0 255.255.255.255 UH 0 0
> 0 ppp0
> 192.168.0.0 0.0.0.0 255.255.255.0 U 0 0
> 0 eth0
> 0.0.0.0 64.24.112.2 0.0.0.0 UG 0 0
> 0 ppp0
>
>
> Hopefully someone with more than my week's experience with this
> operating system will know the answer immediately.

Your network admin doesnt want you to use ping (ping -f can be pretty deadly
to a windoze box). if you are the network admin, check firewall rules etc

Fred
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.2 (GNU/Linux)

iD8DBQFABxuKDvn9hyzHIq4RAu+vAJ9B0oTtsaMO5ykC39/CPbK6iQCHKACfc0B5
T9qb/D8s6HQqyl982McLbWk=
=Zno4
-----END PGP SIGNATURE-----

On 15 Jan 2004 14:52:52 -0800, Patrick <patrickfwd@yahoo.com> wrote:
> I know other newbies must be having this problem, but I can't find
> their posts: Though my internet connection works flawlessly, I can't
> get ping to ping anything but my own machine. I am trying to set up a
> LAN, and this keeps throwing me off.
>
> I'm on SuSE 8.2. I have a working dialup connection to the internet
> using wvdial. WWW, telnet, traceroute, and I'm sure lots of other
> things all work fine. But ping keeps returning the standard "Dest
> Unreachable, Bad Code: 9." I can successfully ping myself by pinging
> localhost, my internet IP, and my ethernet IP, and ping even
> successfully uses my ISP's nameserver to resolve outside IP's. But I
> can't ping the internet, or LAN IP's.
>
> When I do "tcpdump -i eth0" and ping 216.239.57.99 (google.com), it
> looks like this:
>
> 17:44:03.918110 64.24.114.62 > 216.239.57.99: icmp: echo request (DF)
> 17:44:04.052773 64.24.112.2 > 64.24.114.62: icmp: net 216.239.57.99
> unreachable - admin prohibited
>
> What does "admin prohibited" mean? The response is the same for every
> internet ping i've tried.

I have never seen that response and I am using SuSE 8.2 as my pppoe
firewall/masq. If it was just to internet I would say maybe your ISP was
blocking ping, but since you cannot ping your LAN either, it may be
something in /etc/sysconfig/SuSEfirewall2 (unless you configured your own
iptables rules). But that would be strange too because iptables normally
drops traffic it blocks, rather than respond with an error. Are you using
FW_QUICKMODE? Do you have any trouble with web access or anything else
from LAN?

I am not using quickmode, but even though I have following set to drop
pings initiated from internet, I can still ping internet hosts from LAN,
or either way from firewall:

FW_ALLOW_PING_FW="no"
FW_ALLOW_PING_DMZ="no"
FW_ALLOW_PING_EXT="no"

--
David Efflandt - All spam ignored http://www.de-srv.com/
http://www.autox.chicago.il.us/ http://www.berniesfloral.net/
http://cgi-help.virtualave.net/ http://hammer.prohosting.com/~cgi-wiz/

Yes I am the closest thing to a "network admin," although that seems a
glorified title for the owner of three home pc's which as of yet aren't
even a network. I'm running ping as root, and not flood ping. It seems
strange that any distro would by default disallow the root user from using
ping altogether. But if you think firewall rules are the problem, I'll
defenitely look into that. How can I investigate? Is there a HOWTO that
is specifically related, and not just a general firewall HOWTO?

Thanks,
Patrick

Fred Emmott wrote:

> Your network admin doesnt want you to use ping (ping -f can be pretty
> deadly to a windoze box). if you are the network admin, check firewall
> rules etc
>
> Fred
> -----BEGIN PGP SIGNATURE-----

David Efflandt wrote:
> I have never seen that response and I am using SuSE 8.2 as my pppoe
> firewall/masq. If it was just to internet I would say maybe your ISP was
> blocking ping,

Ping works from my windows computers. I don't think it's an ISP issue, and
by the way here's an interesting tidbit: Pinging my IP addy from my ISP
shell account gets no response, timeouts. Of course that could be from
SuSE default firewalls or something, I have no idea.

> but since you cannot ping your LAN either,

Actually the inability to ping over the LAN isn't necessarily the result of
the same problem - the LAN setup is not done. I'm hoping maybe the
solution to this ping problem will be the solution to my LAN problems as
well.

> it may be
> something in /etc/sysconfig/SuSEfirewall2 (unless you configured your own
> iptables rules). But that would be strange too because iptables normally
> drops traffic it blocks, rather than respond with an error.

I haven't touched iptables yet.

> Are you using FW_QUICKMODE? Do you have any trouble with web access or
> anything else from LAN?

FW_QUICKMODE is "no." I haven't touched SuSEfirewall2. I haven't been able
to set up the LAN yet, partially because I can't test it with ping. I
installed linux for the first time at the beginning of this week, so I'm
really still learning the basics.

> I am not using quickmode, but even though I have following set to drop
> pings initiated from internet, I can still ping internet hosts from LAN,
> or either way from firewall:
>
> FW_ALLOW_PING_FW="no"
> FW_ALLOW_PING_DMZ="no"
> FW_ALLOW_PING_EXT="no"

Here's what I have, I include the full uncommented SuSEfirewall2 at the end
of my message:
FW_ALLOW_PING_FW="yes"
FW_ALLOW_PING_DMZ="no"
FW_ALLOW_PING_EXT="no"

Though I'm not sure I understand the difference between EXT and FW (isn't
the whole point that everything from outside (EXT) goes through the
firewall(FW)?), I don't think any of these options would cause my problem
(?) Since they are allowing or disallowing pings from the outside, not the
inside. Sidenote--If I want to be able to ping my linux box from the LAN,
should I set them all to "yes"?

Also, a general question about these configuration files: After editing
them, how do I apply the changes? I assume I don't need to reboot since
Linux is all about uptime and such, but I often update config's and don't
know how to apply the changes without rebooting (eg. when changing my eth0
IP address).

I will say, there is quite a steep learning curve on this operating system.
If I weren't still on Christmas break from college I'd never have time to
bother with all this stuff.



SuSEfirewall2 with most comments taken out:
FW_QUICKMODE="no"
FW_DEV_EXT=""
FW_DEV_INT=""
FW_DEV_DMZ=""
FW_ROUTE="no"
FW_MASQUERADE="no"
FW_MASQ_DEV="$FW_DEV_EXT"
FW_MASQ_NETS=""
FW_PROTECT_FROM_INTERNAL="yes"
FW_AUTOPROTECT_SERVICES="yes"
FW_SERVICES_EXT_TCP=""
FW_SERVICES_EXT_UDP="" # Common: domain
FW_SERVICES_EXT_IP=""
FW_SERVICES_DMZ_TCP=""
FW_SERVICES_DMZ_UDP=""
FW_SERVICES_DMZ_IP=""
FW_SERVICES_INT_TCP=""
FW_SERVICES_INT_UDP=""
FW_SERVICES_INT_IP=""
FW_SERVICES_QUICK_TCP=""
FW_SERVICES_QUICK_UDP=""
FW_SERVICES_QUICK_IP=""
FW_TRUSTED_NETS=""
FW_ALLOW_INCOMING_HIGHPORTS_TCP="no"
FW_ALLOW_INCOMING_HIGHPORTS_UDP="DNS"
FW_SERVICE_AUTODETECT="yes"
FW_SERVICE_DNS="no"
FW_SERVICE_DHCLIENT="no"
FW_SERVICE_DHCPD="no"
FW_SERVICE_SQUID="no"
FW_SERVICE_SAMBA="no"
FW_FORWARD=""
FW_FORWARD_MASQ=""
FW_REDIRECT=""
FW_LOG_DROP_CRIT="yes"
FW_LOG_DROP_ALL="no"
FW_LOG_ACCEPT_CRIT="yes"
FW_LOG_ACCEPT_ALL="no"
FW_LOG="--log-level warning --log-tcp-options --log-ip-option --log-prefix
SuSE-FW"
FW_KERNEL_SECURITY="yes"
FW_STOP_KEEP_ROUTING_STATE="no"
FW_ALLOW_PING_FW="yes"
FW_ALLOW_PING_DMZ="no"
FW_ALLOW_PING_EXT="no"
# END of /etc/sysconfig/SuSEfirewall2
# EXPERT OPTIONS - all others please don't change these! #
FW_ALLOW_FW_TRACEROUTE="yes"
FW_ALLOW_FW_SOURCEQUENCH="yes"
FW_ALLOW_FW_BROADCAST="no"
FW_IGNORE_FW_BROADCAST="yes"
FW_ALLOW_CLASS_ROUTING="no"
FW_CUSTOMRULES=""
FW_REJECT="no"
FW_HTB_TUNE_DEV=""

Patrick <patrickfwd@yahoo.com> wrote:

> I'm on SuSE 8.2. I have a working dialup connection to the internet
> using wvdial. WWW, telnet, traceroute, and I'm sure lots of other
> things all work fine. But ping keeps returning the standard "Dest
> Unreachable, Bad Code: 9."

I helped someone with this problem just a few days ago.

"Bad Code: 9" is a deprecated code meaning "Communication with
Distination Network Administratively Prohibited" (or words to that
effect)

Basically, the Network Admin at the ISP has prohibited the use of ping,
full stop.

If you really want something ping-like, try using something that can
send a UDP "ping", its not ping at all, you just an ICMP message back
saying "Destination Port Unreachable" (_if_ it's unreachable, and the
peer isn't just dropping such packets).

Welcome to the antisocial aspects of firewall management.

--
Cameron Kerr
cameron.kerr@paradise.net.nz : http://nzgeeks.org/cameron/
Empowered by Perl!

Cameron Kerr wrote:

> "Bad Code: 9" is a deprecated code meaning "Communication with
> Distination Network Administratively Prohibited" (or words to that
> effect)
>
> Basically, the Network Admin at the ISP has prohibited the use of ping,
> full stop.

Okay sorry, he's right. My ISP must have _very_ recently prohibited ping!
I set up a windows machine less than a month ago and used it to test.
Sorry for wasting time here.

Patrick <patrickfwd@yahoo.com> wrote:

> Okay sorry, he's right. My ISP must have _very_ recently prohibited ping!
> I set up a windows machine less than a month ago and used it to test.
> Sorry for wasting time here.

Let that be a lesson to you then. groups.google.com query
"group:comp.os.linux.networking ping Bad Code 9"

The practice of blocking pings, it would seem, is growing.

--
Cameron Kerr
cameron.kerr@paradise.net.nz : http://nzgeeks.org/cameron/
Empowered by Perl!

I conducted that search and many like it on the web and on
groups.google.com. But no matter how many times I read "admin prohibited,"
I would not have associated that admin with my ISP, since up until a few
weeks ago ping was allowed.

Cameron Kerr wrote:
>> Okay sorry, he's right. My ISP must have _very_ recently prohibited
>> ping! I set up a windows machine less than a month ago and used it to
>> test. Sorry for wasting time here.

> Let that be a lesson to you then. groups.google.com query
> "group:comp.os.linux.networking ping Bad Code 9"
>
> The practice of blocking pings, it would seem, is growing.