Questions about ICMP
Rick Stevens
rstevens at internap.com
Thu Dec 6 00:16:42 UTC 2007
On Wed, 2007-12-05 at 16:00 -0800, Daniel B. Thurman wrote:
> Craig White wrote:
>
> >Sent: Wednesday, December 05, 2007 3:33 PM
> >To: For users of Fedora
> >Subject: Re: Questions about ICMP
> >
> >
> >On Wed, 2007-12-05 at 15:27 -0800, Daniel B. Thurman wrote:
> >> Should ICMP packets be allowed both over the
> >> Internet or should it be allowed to pass only in
> >> the local networks?
> >>
> >> I have a firewall appliance and trying to make sure
> >> that I am being secured properly.
> >----
> >disabling icmp echo requests is a great feature for the ultra-paranoid
> >
> >Craig
> >
> >--
>
> So... am I to read this as it is a good idea to disable all icmp
> requests? I get a LOT of ICMP requests from the Internet probing
> at my ports, which are disabled. This is a good idea?
There is no reason for people to ICMP you unless they're just snooping
to see what IPs are in use--and that can indicate an oncoming hack
attempt. It is a very good idea to turn it off.
I do...at least at my router/firewall. The Internet doesn't need to
know I'm there. Internally I leave it enabled so I can verify my
machines are alive (that and SNMP stuff). So if you're on my private
network, pings are OK. I ignore attempts from the outside (in iptables
parlance, "-j DROP").
----------------------------------------------------------------------
- Rick Stevens, Principal Engineer rstevens at internap.com -
- CDN Systems, Internap, Inc. http://www.internap.com -
- -
- Silence! Or I shall replace you with a very small shell script! -
- - The Wizard of OS -
----------------------------------------------------------------------
More information about the users
mailing list