On Booting @ CPULOAD Pinging Gateway with PING disabled at Firewall

[mygoogoo]

Using unRAID version 6.0-beta12.

 

Is it really necessary to have unRAID ping the gateway? In my case it is a firewall with ICMP Pings blocked and also IDS/IPS active. During initial boot unRAID stops at CPULOAD momentarily, for 52 minutes; thereafter everything continues as normal and plugins download and install. I could see via HTOP that unRAID relentlessly pings the gateway while attempting to download each plugin. After 52 minutes it looks like the Pinging ceases and then unRAID is able to download plugins as normal.

 

If I enable to allow Pings on the firewall then there is no issue and everything operates as normal. I don't ever remember this being an issue prior to 6.0-beta12

 

Perhaps I misunderstand the reasoning for the pings beyond the obvious, but if the gateway ip addy is already saved to network config why ping the gateway? If the gateway were not accessible to begin with this would have been already verified by other means. No other server on my network is affected by blocked ICMP pings only unRAID.

 

I believe a couple of people on the forums have mentioned that their unRAID server takes a long time to be able to access the webGUI. Perhaps this can be a reason why.

[dgaschk]

Why disable ping on the LAN side of the router? It should be disabled on the WAN side but it should be enabled on the LAN side.

[mygoogoo]

I'll keep this short as I don't have the time to explain ALL the reasons why network security, especially in today's world, is extremely important. I think you need to re-evaluate your question.

 

Basically for the same reasons why uPnP is a bad idea. You're assuming that network security vulnerabilities with ICMP/Ping is an issue on the WAN side and never on the LAN side. You have to think security from the inside-out as a best policy. Also you're assuming that users of the network will never, even if by accident, visit a nefarious website or manually install some sort of malware on their pc, android or iphone. You're also assuming that any device installed in the LAN, for example security cameras made abroad don't ping for LAN devices or don't "phone home" (with results); not to mention zero-day and other vulnerabilities. (if you have a firewall with active logging, you will see what I am talking about in black and white). I have seen users pc's infected with several vulnerabilities that could have adversely affected several networks but didn't because simple things like uPNP and ICMP/Ping have been disabled on the LAN side along with active IDS/IPS. Let your 10 year old kid, nephew/niece or grand-kid visit as many minecraft websites possible with minimal network and pc security and post your results here after a week or so. That's if you can get the PC to work.

 

I sincerely hope that unRAID users are not simply deploying unRAID servers on their LAN without at least installing a perimeter firewall solution on the network (pfSense, Smoothwall, IPFire, IPCop, etc etc, if not a commercial solution), as simple as that network might be, and do not rely on the ISP's router/firewall, and do not rely on something as simple as DD-WRT on wifi routers to protect the network; especially when Plugins like Plex and MediaBrowser are enabled and serving content on the LAN and WAN side.

 

If anyone here on these forums treats network security as an inconvenience, then you shouldn't be running a server. Good luck.

 

A couple of examples and reading material:

 

 

http://www.sans.org/security-resources/idfaq/icmp_misuse.php