Ubuntu
gnome-nettool package

Why does disabling ICMP in/out on my DSL modem cause web pages to load much faster?

Asked by steve hussey

Ubuntu 10.04.2. latest updates are current. Qwest Actiontec GT701 High Speed Internet modem.

I have a Windows system that has always loaded web pages much faster than Ubuntu. The difference is significant, most pages take about ten to fifteen seconds longer to fully load. I am running AdBlock Plus in Firefox 3.0.17 in Ubuntu to help prevent unwanted ads from loading within the page. In theory, this alone should cause web sites to load much faster.

In every version of Ubuntu I have used, this behavior has always been the same. I figured that this was possibly due to Ubuntu being a free of charge Operating System, and that this was something I would have to live with.

I recently made a change to the modem settings. I changed the ICMP out setting to off, and discovered that now the web pages load almost as quickly as the Windows system. In fact, the Windows system is faster than before, but the difference between Ubuntu and Windows is much less, with Ubuntu now taking about three or four seconds to load a web page, and Windows about one to two seconds.

I always had ICMP in set to off, as Steve Gibson's firewall test would report that ICMP ping echo reply would answer when pinged as enabled. Disabling ICMP in in the modem would remove this alert.

Correct me if I am wrong, but I understand ICMP is used to verify network connectivity within the local network, and to diagnose the type and nature of any network connectivity problems within that network. It is also used to automatically find the best pathway for network connectivity when more than one router is used.

Am I right to think ICMP is not needed when all is well within that network? Or is this behavior described above an indication of a programming defect or a security vulnerability within Ubuntu?

Please let me know why this is, and if changing this setting to off enhances or worsens security when on the Internet.

mchain

Question information

Language:
English Edit question
Status:
Answered
For:
Ubuntu gnome-nettool Edit question
Assignee:
No assignee Edit question
Last query:
Last reply:
Revision history for this message
actionparsnip (andrew-woodhead666) said : 		#1

Reducing active protocols and services improves security. This is one reason why the server version doesn't have an X server.

You can make the web faster by installing and configuring dnsmasq, this will make your DNS resolutions take 0ms and make the web faster.

You can also run:

gksudo gedit /etc/sysctl.conf

add this code:

net.core.rmem_default = 524288
net.core.rmem_max = 524288
net.core.wmem_default = 524288
net.core.wmem_max = 524288
net.ipv4.tcp_wmem = 4096 87380 524288
net.ipv4.tcp_rmem = 4096 87380 524288
net.ipv4.tcp_mem = 524288 524288 524288
net.ipv4.tcp_rfc1337 = 1
net.ipv4.ip_no_pmtu_disc = 0
net.ipv4.tcp_sack = 1
net.ipv4.tcp_fack = 1
net.ipv4.tcp_window_scaling = 1
net.ipv4.tcp_timestamps = 1
net.ipv4.tcp_ecn = 0
net.ipv4.route.flush = 1
vm.swappiness = 10

Save the new file, close gedit and run:

sudo sysctl -p

You can also disable ipv6 (assuming you don't use it) by adding the bootoption:

ipv6.disable=1

HTH

Revision history for this message
steve hussey (srhussey1) said : 		#2

@ actionparsnip,

Sorry I have not gotten back to you sooner.

Just running DNSmasq is sufficient for my needs. Is there a GUI or must it be run in terminal?

The other code is not needed at this time.

As more and more sites become compatible with ipv6, I am thinking it best not to disable.

Thank you.

mchain

Revision history for this message
actionparsnip (andrew-woodhead666) said : 		#3

you need to run:

cat /etc/resolv.conf; gksudo gedit /etc/dnsmasq.conf

find:
#listen-address=

change it to:
listen-address=127.0.0.1

Save the new file, close gedit and run:

sudo service dnsmasq stop; sudo service dnsmasq start

You then need to edit your connection using network manager so that your interface is DHCP (address only) and set the DNS servers to be

127.0.0.1, foo, bar

replace foo and bar with the DNS servers which are listed in the terminal (hence the 'cat /etc/resolv.conf' command). You can even use:

127.0.0.1, 8.8.8.8, 192.168.0.1

I assume your routers internal IP is 192.168.0.1, most home grade routers use this address, if yours is different then change it. 8.8.8.8 is Google's public DNS service. Your system will then cache DNS resolutions and you will not have to keep asking Google / your provider for EVERY name resolution which is what it currently does. Makes things a bit faster :)

Can you help with this problem?

Provide an answer of your own, or ask steve hussey for more information if necessary.

To post a message you must log in.