Re: Which port to block for ping, and how?

From: Anthony Campbell (
Date: 12/19/03

Date: 19 Dec 2003 20:10:22 GMT

On 2003-12-19, Tim Haynes <> wrote:
> Anthony Campbell <> writes:
> [snip]
>>> The same goes for the destination-unreachable and time-exceeded rules;
>>> they're all consumed within RELATED. There's no reason why you should
>>> accept them as new from random hosts; for all I know, opening yourself
>>> up to destination-unreachable packets means you'll have to handle them
>>> as part of a DoS.
>> I suppose my problem is not knowing how much I am achieving at present in
>> terms of protection (reflection of my ignorance, obviously).
> Blocking everything apart from stuff you ask for. That's the normal way
> around.
>> I'm rather perturbed by the failure to block pinging; it seems to mean I
>> ought to do something more, but what?
> No, it means you should check what you've got open that's allowing it,
> because the default is to drop everything.
> ~Tim

I just closed everything but ping still gets through:

ac:~:$ sudo nmap localhost

Starting nmap 3.48 ( ) at 2003-12-19 20:08 GMT
All 1657 scanned ports on localhost ( are: closed

Nmap run completed -- 1 IP address (1 host up) scanned in 2.333 seconds

Using Linux GNU/Debian - Windows-free zone (book reviews and articles)
Email: replace "www." with "ac@"