How to allow unprivileged users to use ICMP (ping)

One of the fundamental protocols to run tests in your network is ICMP to see if devices are reachableover an IP based network. OpenNMS implements the ICMP protocol and you can use it as continous test in your network and to detect failures on the IP network layer.

The equivalent tool is ping <host-or-ip> which uses ICMP as well and allows you to test on the command line if the network device is reachable. Some Linux distributions restrict permissions to send ICMP datagrams for security reasons based on the group id.

Verify if permissions which group ids are allowed to use datagram sockets

sysctl net.ipv4.ping_group_range

The default is ā€œ1 0ā€, which means no group is allowed to create ICMP Echo sockets.

net.ipv4.ping_group_range = 1	0

You can set a range of group IDs (minimum / maximum inclusive) that are allowed to create ICMP Echo sockets. The following command allows the single group ID to open ICMP Echo sockets.

sysctl net.ipv4.ping_group_range='10001 10001'

:tipping_hand_woman: If you want to enable this permanently, create a file in /etc/sysctl.d/ to set the range.

Create configuration file

sudo vi /etc/sysctl.d/99-allow-ping.conf 

Add the following line and save the file

net.ipv4.ping_group_range=10001 10001

:tipping_hand_woman: If you want to enable it for the world you can set "0 4294967295".

Reboot the server and verify if the kernel setting is set.


:woman_facepalming: You can fix me, Iā€™m a wiki post.

2 Likes

This article is superseded when you run Horizon 29+. It runs by default as an unprivileged user and does all the required steps during installation.

1 Like

Hello @indigo
Please how can i test this configuration?