New To Mac-Forums?

Welcome to our community! Join the discussion today by registering your FREE account. If you have any problems with the registration process, please contact us!

Get your questions answered by community gurus • Advice and insight from world-class Apple enthusiasts • Exclusive access to members-only contests, giveaways and deals

Join today!

 
Start a Discussion
 

Mac-Forums Brief

Subscribe to Mac-Forums Brief to receive special offers from Mac-Forums partners and sponsors

Join the conversation RSS
Internet, Networking, and Wireless Discussion of networking, internet, and wireless including Apple's Airport products.

TC failed the Ping Reply


Post Reply New Thread Subscribe

 
Thread Tools
Calistoga

 
Calistoga's Avatar
 
Member Since: Oct 04, 2008
Location: USA
Posts: 94
Calistoga is on a distinguished road
Mac Specs: Intel iMac, 2.4 GHz, C2D, 4 GB RAM, OS X 10.6.4

Calistoga is offline
I went over to security experts Steve Gibson GRC website and ran Shields up! All of my ports are Stealth. However, I did fail the Ping Reply. I am using Time Capsule router with a 500 GB hard drive. I believe it is the first generation. I am also using Apple AirPort Extreme in bridge mode. TC is the primary router. I did a firmware upgrade about two years ago.

From GRC:
Quote:
Ping Reply: RECEIVED (FAILED) — Your system REPLIED to our Ping (ICMP Echo) requests, making it visible on the Internet. Most personal firewalls can be configured to block, drop, and ignore such ping requests in order to better hide systems from hackers. This is highly recommended since "Ping" is among the oldest and most common methods used to locate systems prior to further exploitation.
QUOTE Thanks
IvanLasston

 
IvanLasston's Avatar
 
Member Since: Feb 26, 2010
Location: Rocky Mountain High, Colorado
Posts: 2,116
IvanLasston is a splendid one to beholdIvanLasston is a splendid one to beholdIvanLasston is a splendid one to beholdIvanLasston is a splendid one to beholdIvanLasston is a splendid one to beholdIvanLasston is a splendid one to beholdIvanLasston is a splendid one to beholdIvanLasston is a splendid one to behold
Mac Specs: 1.8 GHz i7 MBA 11" OSX 10.8.2

IvanLasston is offline
Do you have Enable NAT Port Mapping Protocol checked? Do you have anything setup in default host? I believe either of these allows the ping to go through to your computer and have it reply.

From the help pages

Quote:

Setting NAT options for your base station or Time Capsule
To set up Network Address Translation (NAT) options for your AirPort wireless device, open the device’s configuration, click Internet, and make sure the device is set up to share a public IP address in the Connection Sharing pop-up menu, and then click NAT.

NAT options include:

Enable default host: A default host is a computer on your network that is exposed to the Internet and receives all inbound traffic. A default host may be useful if you use a computer on your AirPort network to play network games, or want to route all Internet traffic through a single computer.

Enable NAT Port Mapping Protocol: NAT Port Mapping Protocol (NAT-PMP) is an Internet Engineering Task Force Internet Draft, an alternative to the more common Universal Plug and Play (UPnP) protocol implemented in many NAT routers. NAT-PMP allows a computer in a private network (behind a NAT router) to automatically configure the router to allow clients outside the private network to contact this computer.

Included in the protocol is a method for retrieving the public IP address of a NAT gateway, allowing a client to make this public IP address and port number known to peers that may wish to communicate with it. This protocol is implemented in current Apple products, including Mac OS X10.4 Tiger, AirPort Extreme and AirPort Express networking products, Time Capsule, and Bonjour for Windows.

To set NAT options, your base station or Time Capsule must be set up to share its Internet connection using DHCP and NAT.
QUOTE Thanks
Calistoga

 
Calistoga's Avatar
 
Member Since: Oct 04, 2008
Location: USA
Posts: 94
Calistoga is on a distinguished road
Mac Specs: Intel iMac, 2.4 GHz, C2D, 4 GB RAM, OS X 10.6.4

Calistoga is offline
Thanks for the reply. At the present time I am not able to get to my Intel iMac. I do know that Universal Plug and Play is a security hazard. I will need to make sure that UPnP is turned off. There is no need for any of my computers on my network to be a default host. Geez, networking is not my forte. I did turn on the built-in Snow Leopard firewall, but that did not change the result. All my ports are Stealth. My ISP says the problem is on my and. However, they fail the "Ping" when it comes to the DNS Spoofability Test.

You really need to get your "nerd on" for this one.
QUOTE Thanks
DaFlake

 
Member Since: Jun 02, 2008
Posts: 709
DaFlake has a spectacular aura about

DaFlake is offline
This has nothing to do with a computer on your network replying. What has happened is that their web site pinged your router and it responded. This means that if someone was sweeping the network looking for active nodes yours will say "here I am". I looked on my TC and I don't see a way to disable ICMP.

I wouldn't worry about it too much. Even if someone gets a response, they still have to get through the firewall and if all your ports are blocked then you are pretty secure. Steve has always liked to make people feel like their stuff is insecure. He is smart, but way over the top.
QUOTE Thanks
IvanLasston

 
IvanLasston's Avatar
 
Member Since: Feb 26, 2010
Location: Rocky Mountain High, Colorado
Posts: 2,116
IvanLasston is a splendid one to beholdIvanLasston is a splendid one to beholdIvanLasston is a splendid one to beholdIvanLasston is a splendid one to beholdIvanLasston is a splendid one to beholdIvanLasston is a splendid one to beholdIvanLasston is a splendid one to beholdIvanLasston is a splendid one to behold
Mac Specs: 1.8 GHz i7 MBA 11" OSX 10.8.2

IvanLasston is offline
Quote:
Originally Posted by DaFlake View Post
This has nothing to do with a computer on your network replying. What has happened is that their web site pinged your router and it responded. This means that if someone was sweeping the network looking for active nodes yours will say "here I am". I looked on my TC and I don't see a way to disable ICMP.

I wouldn't worry about it too much. Even if someone gets a response, they still have to get through the firewall and if all your ports are blocked then you are pretty secure. Steve has always liked to make people feel like their stuff is insecure. He is smart, but way over the top.
That is not necessarily true. If you have port forwarding on or a machine in the DMZ then it isn't your router - it is that computer responding. I just tested it on my network. My linux server responds to a dynamic dns ping as I have ssh port forwarded. My router is set to not to respond to a ping. So the router isn't responding to the ping - a port forwarded computer is responding. That is why I asked the question on what is set on NAT and port forwarding. It is also why I caution against port forwarding unless you fully understand the ramifications.
QUOTE Thanks
DaFlake

 
Member Since: Jun 02, 2008
Posts: 709
DaFlake has a spectacular aura about

DaFlake is offline
If and only if the ping is assigned to that port will that happen and even then, it is still the router that is responding in lieu of the computer, that is how NAT functions. Your computer responds but that ping hits the router and the router responds for your computer, even with port forwarding. Either way, it is ICMP that is the culprit here... If you had port forwarding on and ICMP disabled a ping should still get no response. If it does, there is something wrong with your router.

DMZ is a little different and there isn't one on an Airport Extreme TC that I can find.
QUOTE Thanks
Calistoga

 
Calistoga's Avatar
 
Member Since: Oct 04, 2008
Location: USA
Posts: 94
Calistoga is on a distinguished road
Mac Specs: Intel iMac, 2.4 GHz, C2D, 4 GB RAM, OS X 10.6.4

Calistoga is offline
Sorry for my late reply. It looks to me that Port Mapping Protocol is not checked. I would have no reason to turn on port forwarding. I have looked, but I can't find where to enable or turn off Universal Plug and Play. I would think it would be turned off by default. I am not playing any games, I don't have an Xbox, Sony PlayStation, etc. if you tell me where to look, I will try to find Universal Plug and Play. Otherwise, this is a bit of a puzzlement.

QUOTE Thanks
DaFlake

 
Member Since: Jun 02, 2008
Posts: 709
DaFlake has a spectacular aura about

DaFlake is offline
As I said, the reason for your failing is that there is no way to disable ICMP on an Airport Extreme and TC. So, you are not ever going to be able to "pass" it. Also, just because your router doesn't respond does not mean that it is invisible. Basically, don't waste your time trying to pass it.
QUOTE Thanks
IvanLasston

 
IvanLasston's Avatar
 
Member Since: Feb 26, 2010
Location: Rocky Mountain High, Colorado
Posts: 2,116
IvanLasston is a splendid one to beholdIvanLasston is a splendid one to beholdIvanLasston is a splendid one to beholdIvanLasston is a splendid one to beholdIvanLasston is a splendid one to beholdIvanLasston is a splendid one to beholdIvanLasston is a splendid one to beholdIvanLasston is a splendid one to behold
Mac Specs: 1.8 GHz i7 MBA 11" OSX 10.8.2

IvanLasston is offline
DMZ is available in Airport Utility under Internet -> NAT -> "Enable Default host at" - if you put a ip address there then you have a machine in the DMZ.

ICMP is doing the pinging but that isn't my point - the point is even on a router that looks like it shouldn't respond - will respond to a ICMP ping if you have port forwarding on or if a machine is on the DMZ and you don't have it fully configured to be invisible. I don't use the TC as a router - so I cannot speak for it but on my netgear router there is a specific checkbox that says respond to ICMP ping - that is unchecked. Once I add a port forward config and have dyndns configured - something on my network responds to a ICMP ping.

All I was suggesting was - to check if either port forwarding or dmz was enabled as those will respond to a ping. The answer was no - so I am with you TC probably responds to ICMP ping and I didn't see a specific checkbox to turn that off under TC.

I also agree with you - there are more ways to find a computer other than ping and responding to a ping isn't that big a deal.
QUOTE Thanks
Calistoga

 
Calistoga's Avatar
 
Member Since: Oct 04, 2008
Location: USA
Posts: 94
Calistoga is on a distinguished road
Mac Specs: Intel iMac, 2.4 GHz, C2D, 4 GB RAM, OS X 10.6.4

Calistoga is offline
Thanks guys! I still have one more idea up my sleeve. However, it will be with a Windows machine on my network. I will post my results/findings if it works.
QUOTE Thanks
DaFlake

 
Member Since: Jun 02, 2008
Posts: 709
DaFlake has a spectacular aura about

DaFlake is offline
Quote:
Originally Posted by IvanLasston View Post
DMZ is available in Airport Utility under Internet -> NAT -> "Enable Default host at" - if you put a ip address there then you have a machine in the DMZ.

ICMP is doing the pinging but that isn't my point - the point is even on a router that looks like it shouldn't respond - will respond to a ICMP ping if you have port forwarding on or if a machine is on the DMZ and you don't have it fully configured to be invisible. I don't use the TC as a router - so I cannot speak for it but on my netgear router there is a specific checkbox that says respond to ICMP ping - that is unchecked. Once I add a port forward config and have dyndns configured - something on my network responds to a ICMP ping.

All I was suggesting was - to check if either port forwarding or dmz was enabled as those will respond to a ping. The answer was no - so I am with you TC probably responds to ICMP ping and I didn't see a specific checkbox to turn that off under TC.

I also agree with you - there are more ways to find a computer other than ping and responding to a ping isn't that big a deal.
Interesting on the DMZ, I didn't know that, thanks! Apple has a habit of not calling things what they are.....

I understand and I think that we are thinking the same way but if you have ICMP disabled on your router it really shouldn't respond, even with port forwarding. On the GRC test, an open port would have show up in the grid. What can you say, they are small home routers with basic firewall not industrial strength stuff. It is possible that netgear enables port forwarding automatically when you have port forwarding enabled; perhaps to ensure the service can actually communicate across it.

Either way, I think that we covered the OPs question.
QUOTE Thanks
Calistoga

 
Calistoga's Avatar
 
Member Since: Oct 04, 2008
Location: USA
Posts: 94
Calistoga is on a distinguished road
Mac Specs: Intel iMac, 2.4 GHz, C2D, 4 GB RAM, OS X 10.6.4

Calistoga is offline
Quote:
Originally Posted by DaFlake View Post
Either way, I think that we covered the OPs question.
Yeah, you guys are pretty geeky(I mean that in the nicest way).

Good stuff.
QUOTE Thanks
DaFlake

 
Member Since: Jun 02, 2008
Posts: 709
DaFlake has a spectacular aura about

DaFlake is offline
Quote:
Originally Posted by Calistoga View Post
Yeah, you guys are pretty geeky(I mean that in the nicest way).

Good stuff.
LOL, I am a former network engineer turned programmer. I accept geek...
QUOTE Thanks
IvanLasston

 
IvanLasston's Avatar
 
Member Since: Feb 26, 2010
Location: Rocky Mountain High, Colorado
Posts: 2,116
IvanLasston is a splendid one to beholdIvanLasston is a splendid one to beholdIvanLasston is a splendid one to beholdIvanLasston is a splendid one to beholdIvanLasston is a splendid one to beholdIvanLasston is a splendid one to beholdIvanLasston is a splendid one to beholdIvanLasston is a splendid one to behold
Mac Specs: 1.8 GHz i7 MBA 11" OSX 10.8.2

IvanLasston is offline
I think we are all in agreement too.

DaFlake - you are right I do have a big red blotch when I run the test because my ssh server responds. I deleted that port forward and it still responded to ping but no red on the ports. So it leads me to believe that it is another setting on my router. It may be a requirement of dyndns as that is setup too. I don't want to turn that off as that is a little touchy. All that being said - if my setting says do not respond to ICMP ping I expect that to be true, or a warning that turning on some service (like dyndns) will enable it. Again this is a netgear router so that info does not apply to the OP's problem just an observation.

Anyway just because it responds to a ping and ssh port is open - it does not mean I have a security issue. I know what I am doing and there is a bunch of stuff I did to lock down ssh. That being said - I do see attempts every day to try to brute force ssh. Same story I guess - don't worry too hard about the ping failure - but whatever happens with the Windows machine please report back.
QUOTE Thanks
Slydude

 
Slydude's Avatar
 
Member Since: Nov 16, 2009
Location: North Louisiana, USA
Posts: 6,845
Slydude has a brilliant futureSlydude has a brilliant futureSlydude has a brilliant futureSlydude has a brilliant futureSlydude has a brilliant futureSlydude has a brilliant futureSlydude has a brilliant futureSlydude has a brilliant futureSlydude has a brilliant futureSlydude has a brilliant futureSlydude has a brilliant future
Mac Specs: 2.8 GHz MacBook Pro 10.8,3 8 GB mem, 2.66 GHz Mac Pro - Dead, iPhone 4

Slydude is offline
When the TC was my primary router I failed the same test. AFAIK I don't have port forwarding or any of the things that normally respond to pings running.

I solved the problem by putting the TC behind another router and let it handle routing functions. I was going to do that anyway since the TC was only being used as a router until I replaced my original router which had failed. With both a router and TC I can assign all my 802.11n devices to one network segment and the rest to a different segment.

Sylvester Roque Former Contributing Editor About This Particular Macintosh

"Got Time to breathe. You got time for music." Denver Pyle as Briscoe Darling
QUOTE Thanks

Post Reply New Thread Subscribe


« Will Apple TV stream video files? | Changing my IP Address »
Thread Tools

Currently Active Users Viewing This Thread: 1 (0 members and 1 guests)
 
Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are Off
Forum Jump

Similar Threads
Thread
Thread Starter
Forum
Replies
Last Post
Help winclone!! wesexcellence Running Windows (or anything else) on your Mac 2 12-13-2010 05:32 AM
Snow lepoard running crazy slow BostonMarley OS X - Operating System 46 10-18-2009 02:25 PM
wired network connection failure - ping: sendto: Cannot allocate memory knockturne Internet, Networking, and Wireless 0 09-22-2009 08:06 AM
Crash on boot - CIFSPlugin: LdapKerbDomainInit failed with error x0x0 OS X - Operating System 5 07-31-2007 09:00 PM
error message during weekly maintenance ajresovsky Schweb's Lounge 0 06-18-2006 06:11 PM

All times are GMT -4. The time now is 10:38 PM.

Powered by vBulletin
Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
X

Welcome to Mac-Forums.com

Create your username to jump into the discussion!

New members like you have made this community the ultimate source for your Mac since 2003!


(4 digit year)

Already a member?