Results 1 to 15 of 15
  1. #1

    Calistoga's Avatar
    Member Since
    Oct 04, 2008
    Location
    USA
    Posts
    94
    Specs:
    Intel iMac, 2.4 GHz, C2D, 4 GB RAM, OS X 10.6.4
    TC failed the Ping Reply
    I went over to security experts Steve Gibson GRC website and ran Shields up! All of my ports are Stealth. However, I did fail the Ping Reply. I am using Time Capsule router with a 500 GB hard drive. I believe it is the first generation. I am also using Apple AirPort Extreme in bridge mode. TC is the primary router. I did a firmware upgrade about two years ago.

    From GRC:
    Ping Reply: RECEIVED (FAILED) — Your system REPLIED to our Ping (ICMP Echo) requests, making it visible on the Internet. Most personal firewalls can be configured to block, drop, and ignore such ping requests in order to better hide systems from hackers. This is highly recommended since "Ping" is among the oldest and most common methods used to locate systems prior to further exploitation.

  2. #2

    IvanLasston's Avatar
    Member Since
    Feb 26, 2010
    Location
    Rocky Mountain High, Colorado
    Posts
    2,116
    Specs:
    1.8 GHz i7 MBA 11" OSX 10.8.2
    Do you have Enable NAT Port Mapping Protocol checked? Do you have anything setup in default host? I believe either of these allows the ping to go through to your computer and have it reply.

    From the help pages


    Setting NAT options for your base station or Time Capsule
    To set up Network Address Translation (NAT) options for your AirPort wireless device, open the device’s configuration, click Internet, and make sure the device is set up to share a public IP address in the Connection Sharing pop-up menu, and then click NAT.

    NAT options include:

    Enable default host: A default host is a computer on your network that is exposed to the Internet and receives all inbound traffic. A default host may be useful if you use a computer on your AirPort network to play network games, or want to route all Internet traffic through a single computer.

    Enable NAT Port Mapping Protocol: NAT Port Mapping Protocol (NAT-PMP) is an Internet Engineering Task Force Internet Draft, an alternative to the more common Universal Plug and Play (UPnP) protocol implemented in many NAT routers. NAT-PMP allows a computer in a private network (behind a NAT router) to automatically configure the router to allow clients outside the private network to contact this computer.

    Included in the protocol is a method for retrieving the public IP address of a NAT gateway, allowing a client to make this public IP address and port number known to peers that may wish to communicate with it. This protocol is implemented in current Apple products, including Mac OS X10.4 Tiger, AirPort Extreme and AirPort Express networking products, Time Capsule, and Bonjour for Windows.

    To set NAT options, your base station or Time Capsule must be set up to share its Internet connection using DHCP and NAT.

  3. #3

    Calistoga's Avatar
    Member Since
    Oct 04, 2008
    Location
    USA
    Posts
    94
    Specs:
    Intel iMac, 2.4 GHz, C2D, 4 GB RAM, OS X 10.6.4
    Thanks for the reply. At the present time I am not able to get to my Intel iMac. I do know that Universal Plug and Play is a security hazard. I will need to make sure that UPnP is turned off. There is no need for any of my computers on my network to be a default host. Geez, networking is not my forte. I did turn on the built-in Snow Leopard firewall, but that did not change the result. All my ports are Stealth. My ISP says the problem is on my and. However, they fail the "Ping" when it comes to the DNS Spoofability Test.

    You really need to get your "nerd on" for this one.

  4. #4


    Member Since
    Jun 02, 2008
    Posts
    709
    This has nothing to do with a computer on your network replying. What has happened is that their web site pinged your router and it responded. This means that if someone was sweeping the network looking for active nodes yours will say "here I am". I looked on my TC and I don't see a way to disable ICMP.

    I wouldn't worry about it too much. Even if someone gets a response, they still have to get through the firewall and if all your ports are blocked then you are pretty secure. Steve has always liked to make people feel like their stuff is insecure. He is smart, but way over the top.

  5. #5

    IvanLasston's Avatar
    Member Since
    Feb 26, 2010
    Location
    Rocky Mountain High, Colorado
    Posts
    2,116
    Specs:
    1.8 GHz i7 MBA 11" OSX 10.8.2
    Quote Originally Posted by DaFlake View Post
    This has nothing to do with a computer on your network replying. What has happened is that their web site pinged your router and it responded. This means that if someone was sweeping the network looking for active nodes yours will say "here I am". I looked on my TC and I don't see a way to disable ICMP.

    I wouldn't worry about it too much. Even if someone gets a response, they still have to get through the firewall and if all your ports are blocked then you are pretty secure. Steve has always liked to make people feel like their stuff is insecure. He is smart, but way over the top.
    That is not necessarily true. If you have port forwarding on or a machine in the DMZ then it isn't your router - it is that computer responding. I just tested it on my network. My linux server responds to a dynamic dns ping as I have ssh port forwarded. My router is set to not to respond to a ping. So the router isn't responding to the ping - a port forwarded computer is responding. That is why I asked the question on what is set on NAT and port forwarding. It is also why I caution against port forwarding unless you fully understand the ramifications.

  6. #6


    Member Since
    Jun 02, 2008
    Posts
    709
    If and only if the ping is assigned to that port will that happen and even then, it is still the router that is responding in lieu of the computer, that is how NAT functions. Your computer responds but that ping hits the router and the router responds for your computer, even with port forwarding. Either way, it is ICMP that is the culprit here... If you had port forwarding on and ICMP disabled a ping should still get no response. If it does, there is something wrong with your router.

    DMZ is a little different and there isn't one on an Airport Extreme TC that I can find.

  7. #7

    Calistoga's Avatar
    Member Since
    Oct 04, 2008
    Location
    USA
    Posts
    94
    Specs:
    Intel iMac, 2.4 GHz, C2D, 4 GB RAM, OS X 10.6.4
    Sorry for my late reply. It looks to me that Port Mapping Protocol is not checked. I would have no reason to turn on port forwarding. I have looked, but I can't find where to enable or turn off Universal Plug and Play. I would think it would be turned off by default. I am not playing any games, I don't have an Xbox, Sony PlayStation, etc. if you tell me where to look, I will try to find Universal Plug and Play. Otherwise, this is a bit of a puzzlement.


  8. #8


    Member Since
    Jun 02, 2008
    Posts
    709
    As I said, the reason for your failing is that there is no way to disable ICMP on an Airport Extreme and TC. So, you are not ever going to be able to "pass" it. Also, just because your router doesn't respond does not mean that it is invisible. Basically, don't waste your time trying to pass it.

  9. #9

    IvanLasston's Avatar
    Member Since
    Feb 26, 2010
    Location
    Rocky Mountain High, Colorado
    Posts
    2,116
    Specs:
    1.8 GHz i7 MBA 11" OSX 10.8.2
    DMZ is available in Airport Utility under Internet -> NAT -> "Enable Default host at" - if you put a ip address there then you have a machine in the DMZ.

    ICMP is doing the pinging but that isn't my point - the point is even on a router that looks like it shouldn't respond - will respond to a ICMP ping if you have port forwarding on or if a machine is on the DMZ and you don't have it fully configured to be invisible. I don't use the TC as a router - so I cannot speak for it but on my netgear router there is a specific checkbox that says respond to ICMP ping - that is unchecked. Once I add a port forward config and have dyndns configured - something on my network responds to a ICMP ping.

    All I was suggesting was - to check if either port forwarding or dmz was enabled as those will respond to a ping. The answer was no - so I am with you TC probably responds to ICMP ping and I didn't see a specific checkbox to turn that off under TC.

    I also agree with you - there are more ways to find a computer other than ping and responding to a ping isn't that big a deal.

  10. #10

    Calistoga's Avatar
    Member Since
    Oct 04, 2008
    Location
    USA
    Posts
    94
    Specs:
    Intel iMac, 2.4 GHz, C2D, 4 GB RAM, OS X 10.6.4
    Thanks guys! I still have one more idea up my sleeve. However, it will be with a Windows machine on my network. I will post my results/findings if it works.

  11. #11


    Member Since
    Jun 02, 2008
    Posts
    709
    Quote Originally Posted by IvanLasston View Post
    DMZ is available in Airport Utility under Internet -> NAT -> "Enable Default host at" - if you put a ip address there then you have a machine in the DMZ.

    ICMP is doing the pinging but that isn't my point - the point is even on a router that looks like it shouldn't respond - will respond to a ICMP ping if you have port forwarding on or if a machine is on the DMZ and you don't have it fully configured to be invisible. I don't use the TC as a router - so I cannot speak for it but on my netgear router there is a specific checkbox that says respond to ICMP ping - that is unchecked. Once I add a port forward config and have dyndns configured - something on my network responds to a ICMP ping.

    All I was suggesting was - to check if either port forwarding or dmz was enabled as those will respond to a ping. The answer was no - so I am with you TC probably responds to ICMP ping and I didn't see a specific checkbox to turn that off under TC.

    I also agree with you - there are more ways to find a computer other than ping and responding to a ping isn't that big a deal.
    Interesting on the DMZ, I didn't know that, thanks! Apple has a habit of not calling things what they are.....

    I understand and I think that we are thinking the same way but if you have ICMP disabled on your router it really shouldn't respond, even with port forwarding. On the GRC test, an open port would have show up in the grid. What can you say, they are small home routers with basic firewall not industrial strength stuff. It is possible that netgear enables port forwarding automatically when you have port forwarding enabled; perhaps to ensure the service can actually communicate across it.

    Either way, I think that we covered the OPs question.

  12. #12

    Calistoga's Avatar
    Member Since
    Oct 04, 2008
    Location
    USA
    Posts
    94
    Specs:
    Intel iMac, 2.4 GHz, C2D, 4 GB RAM, OS X 10.6.4
    Quote Originally Posted by DaFlake View Post
    Either way, I think that we covered the OPs question.
    Yeah, you guys are pretty geeky(I mean that in the nicest way).

    Good stuff.

  13. #13


    Member Since
    Jun 02, 2008
    Posts
    709
    Quote Originally Posted by Calistoga View Post
    Yeah, you guys are pretty geeky(I mean that in the nicest way).

    Good stuff.
    LOL, I am a former network engineer turned programmer. I accept geek...

  14. #14

    IvanLasston's Avatar
    Member Since
    Feb 26, 2010
    Location
    Rocky Mountain High, Colorado
    Posts
    2,116
    Specs:
    1.8 GHz i7 MBA 11" OSX 10.8.2
    I think we are all in agreement too.

    DaFlake - you are right I do have a big red blotch when I run the test because my ssh server responds. I deleted that port forward and it still responded to ping but no red on the ports. So it leads me to believe that it is another setting on my router. It may be a requirement of dyndns as that is setup too. I don't want to turn that off as that is a little touchy. All that being said - if my setting says do not respond to ICMP ping I expect that to be true, or a warning that turning on some service (like dyndns) will enable it. Again this is a netgear router so that info does not apply to the OP's problem just an observation.

    Anyway just because it responds to a ping and ssh port is open - it does not mean I have a security issue. I know what I am doing and there is a bunch of stuff I did to lock down ssh. That being said - I do see attempts every day to try to brute force ssh. Same story I guess - don't worry too hard about the ping failure - but whatever happens with the Windows machine please report back.

  15. #15

    Slydude's Avatar
    Member Since
    Nov 15, 2009
    Location
    North Louisiana, USA
    Posts
    10,469
    Specs:
    2.8 GHz MacBook Pro 10.11, 8 GB mem, iPhone 6+
    When the TC was my primary router I failed the same test. AFAIK I don't have port forwarding or any of the things that normally respond to pings running.

    I solved the problem by putting the TC behind another router and let it handle routing functions. I was going to do that anyway since the TC was only being used as a router until I replaced my original router which had failed. With both a router and TC I can assign all my 802.11n devices to one network segment and the rest to a different segment.
    Sylvester Roque Former Contributing Editor About This Particular Macintosh

    "Got Time to breathe. You got time for music." Denver Pyle as Briscoe Darling

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Similar Threads

  1. ISP failed, internet failed, server failed
    By hilmel in forum Internet, Networking, and Wireless
    Replies: 3
    Last Post: 05-30-2013, 04:30 PM
  2. Quote Reply Edit Delete Application failed codesign verification.
    By craiggrummitt in forum iOS Development
    Replies: 1
    Last Post: 01-13-2012, 12:57 AM
  3. Who has a Ping profile? What is your Ping name?
    By MYmacROX in forum Music, Audio, and Podcasting
    Replies: 31
    Last Post: 09-12-2010, 02:59 AM
  4. Ping!
    By darrylyoung in forum iOS and Apps
    Replies: 0
    Last Post: 09-29-2009, 05:34 AM
  5. Help ? Airport all OK except 'Failed Internet, Failed Server'
    By Copper in forum Internet, Networking, and Wireless
    Replies: 4
    Last Post: 08-28-2008, 06:47 AM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •