FAQ Search Today's Posts Mark Forums Read
» Video Reviews

» Linux Archive

Linux-archive is a website aiming to archive linux email lists and to make them easily accessible for linux users/developers.


» Sponsor

» Partners

» Sponsor

Go Back   Linux Archive > Ubuntu > Ubuntu User

 
 
LinkBack Thread Tools
 
Old 01-28-2011, 11:40 AM
Nico Kadel-Garcia
 
Default internet connection tester script

On Fri, Jan 28, 2011 at 7:19 AM, John R Pierce <pierce@hogranch.com> wrote:
> On 01/28/11 3:28 AM, kellyremo wrote:
>> bix.hu and www.yahoo.com are "pingable" test sites.
>> 127.0.0.1 could not be pinged [firewall drops all icmp]
>
>
> what sort of firewall drops packets on localhost ?!?
>
> yahoo.com is probably a poor choice of targets, as its a widely
> distributed group of servers, and you likely will be pinging different
> servers at different times, maybe even in different parts of the world.
> I would instead suggest using a target at your ISP or backbone provider.

But it's therefore *very* robust, and less likely to have a particular
host drop out.

If you'd like to be paranoid, it's sometimes handy to do a DNS lookup
first on your target, and ping the local gateway. those steps can be
automated from your local network configuration, they can *read* your
local configuration so they work on all hosts you manage, and if
things start failing, you can then have it run a "traceroute" against
the target.

It also carries some classic attack vectors, such as the "smurf" attack.

> btw, dropping 'all icmp' is bad practice. *Internet Control Message
> Protocol is used for a number of things, including informing
> applications when a host or port is not accessible. *if you drop this,
> you instead hang for minutes waiting for a response instead of quickly
> getting back a 'target {host|port} not reachable' error.
>
> anyways, if you drop all ICMP, you won't get any pings from anywheres.

Yup. That's why it's common to drop at external firewalls and blocked
by NAT from reaching inside your network, to protect less thoroughly
protected and critical hosts from distributed denial of service (DDOS)
such as the now classic "ping flood" attack. There is generally no
good reason to allow external ICMP packets into your local network,
except maybe to allow an external monitoring system or VPN connection
to verify the presence of a few exposed hosts.
_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos
 
Old 01-28-2011, 11:51 AM
Mart Frauenlob
 
Default internet connection tester script

On 28.01.2011 12:28, kellyremo wrote:


http://pastebin.com/raw.php?i=rykHdvBh

bix.hu and www.yahoo.com are "pingable" test sites.
127.0.0.1 could not be pinged [firewall drops all icmp]

i have a "oneliner" that echoes if theres "internet connection or no".
$ ping -W 1 -c 2 bix.hu >& /dev/null && ping -W 1 -c 2 www.yahoo.com >&
/dev/null && echo "internet connection ok" || echo "no internet connection"
internet connection ok
$ ping -W 1 -c 2 127.0.0.1 >& /dev/null && ping -W 1 -c 2 www.yahoo.com
>& /dev/null && echo "internet connection ok" || echo "no internet
connection"
no internet connection
$ ping -W 1 -c 2 127.0.0.1 >& /dev/null && ping -W 1 -c 2 127.0.0.1 >&
/dev/null && echo "internet connection ok" || echo "no internet connection"
no internet connection
$ ping -W 1 -c 2 bix.hu >& /dev/null && ping -W 1 -c 2 127.0.0.1 >&
/dev/null && echo "internet connection ok" || echo "no internet connection"
no internet connection
$ ping -W 1 -c 2 bix.hu >& /dev/null && ping -W 1 -c 2 www.yahoo.com >&
/dev/null && echo "internet connection ok" || echo "no internet connection"
internet connection ok
$

Ok!

But: if i want the "oneliner" to only go along when theres internet
connection:
$ while $TORF; do ping -W 1 -c 1 bix.hu >& /dev/null && ping -W 1 -c 1
www.yahoo.com >& /dev/null && TORF=false || TORF=true; done
$ while $TORF; do ping -W 1 -c 1 127.0.0.1 >& /dev/null && ping -W 1 -c
1 www.yahoo.com >& /dev/null && TORF=false || TORF=true; done
$ while $TORF; do ping -W 1 -c 1 127.0.0.1 >& /dev/null && ping -W 1 -c
1 127.0.0.1 >& /dev/null && TORF=false || TORF=true; done
$ while $TORF; do ping -W 1 -c 1 bix.hu >& /dev/null && ping -W 1 -c 1
127.0.0.1 >& /dev/null && TORF=false || TORF=true; done
$ while $TORF; do ping -W 1 -c 1 bix.hu >& /dev/null && ping -W 1 -c 1
www.yahoo.com >& /dev/null && TORF=false || TORF=true; done
$

It just doesn't work.

Goal: if theres no internet connection, then the oneliner must loop
until there is internet connection. if theres internet connection the
oneliner ends.

what am i missing?



until ping -c 1 host &>/dev/null; do echo "offline"; sleep 1; done
while ! ping -c 1 host &>/dev/null; do echo "offline"; sleep 1; done

no need to set the TORF variable. use the exit status of the command.

The while command continuously executes the do list as long as the last
command in list returns an exit status of zero.

For until it's the other way round.

Best regards

Mart


--
To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org

Archive: 4D42BBCB.8000808@chello.at">http://lists.debian.org/4D42BBCB.8000808@chello.at
 
Old 01-28-2011, 01:57 PM
JB
 
Default internet connection tester script

kellyremo <kellyremo <at> zoho.com> writes:

> ...
> Goal: if theres no internet connection, then the oneliner must loop until
> there is internet connection. if theres internet connection the oneliner
> ends.what am i missing?
> ...

Test:

1. there is internet connection to both

$ TORF=true; while $TORF; do ping -W 1 -c 1 bix.hu >& /dev/null && ping -W 1
-c 1 www.yahoo.com >& /dev/null && TORF=false || TORF=true; echo $TORF; sleep 1;
done
false
$

2. there is no internet connection to at least one

$ TORF=true; while $TORF; do ping -W 1 -c 1 www.blakstar.org >& /dev/null &&
ping -W 1 -c 1 www.yahoo.com >& /dev/null && TORF=false || TORF=true; echo
$TORF; sleep 1; done
true
true
true
true
^C
$

Nota bene !
Let's assume negation is represented by "~" sign.
~(a && b) equivalent to ~a || ~b
~(a || b) equivalent to ~a && ~b

JB






--
users mailing list
users@lists.fedoraproject.org
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
 
Old 01-28-2011, 03:19 PM
 
Default internet connection tester script

Nico Kadel-Garcia wrote:

> Yup. That's why it's common to drop at external firewalls and blocked
> by NAT from reaching inside your network, to protect less thoroughly
> protected and critical hosts from distributed denial of service (DDOS)
> such as the now classic "ping flood" attack. There is generally no
> good reason to allow external ICMP packets into your local network,
> except maybe to allow an external monitoring system or VPN connection
> to verify the presence of a few exposed hosts.

This is a widely held opinion that I strongly disagree with.
Blocking all ICMP is not only not needed, but it is not
conforming to Internet protocol requirements (RFC 1122, 3.2.2)
and makes headaches for sysadmins who have to troubleshoot
network issues. Wikipedia puts it succinctly:

Many network security devices block all ICMP messages for
perceived security benefits, including the errors that are
necessary for the proper operation of PMTUD. This can result in
connections that complete the TCP three-way handshake correctly,
but then hang when data is transferred. This state is referred
to as a black hole connection.

Some implementations of PMTUD attempt to prevent this problem by
inferring that large payload packets have been dropped due to
MTU rather than because of link congestion. However, in order
for the Transmission Control Protocol (TCP) to operate most
efficiently, ICMP Unreachable messages (type 3) should be
permitted. A robust method for PMTUD that relies on TCP or
another protocol to probe the path with progressively larger
packets has been standardized in RFC 4821.

http://en.wikipedia.org/wiki/Path_MTU_Discovery

--
Charles Polisher

_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos
 
Old 01-28-2011, 11:14 PM
Nico Kadel-Garcia
 
Default internet connection tester script

On Fri, Jan 28, 2011 at 11:19 AM, <cpolish@surewest.net> wrote:
> Nico Kadel-Garcia wrote:
>
>> Yup. That's why it's common to drop at external firewalls and blocked
>> by NAT from reaching inside your network, to protect less thoroughly
>> protected and critical hosts from distributed denial of service (DDOS)
>> *such as the now classic "ping flood" attack. There is generally no
>> good reason to allow external ICMP packets into your local network,
>> except maybe to allow an external monitoring system or VPN connection
>> to verify the presence of a few exposed hosts.

> * *Many network security devices block all ICMP messages for
> * *perceived security benefits, including the errors that are
> * *necessary for the proper operation of PMTUD. This can result in
> * *connections that complete the TCP three-way handshake correctly,
> * *but then hang when data is transferred. This state is referred
> * *to as a black hole connection.

I'm not sure how the lack of PMTUD is worked around: given the number
of environments for which blocking ICMP entirely is standard practice,
it can't be *too* much of an issue, can it? I'm deducing, without
enough proof, that the upstream ISP's routers have to handle ICMP from
the other routers they speak with. But other than that, why should it
be supported again? Do household network devices really need to do the
path optimization supported by this? They're not multi-homed: perhaps
the single gateway that they use helps avoid the issue?
_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos
 

Thread Tools




All times are GMT. The time now is 02:28 AM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.
Copyright 2007 - 2008, www.linux-archive.org