Re: Ok to let all ICMP traffic through firewall?

From: Hairy One Kenobi (abuse_at_[127.0.0.1)
Date: 09/23/05 

Date: Thu, 22 Sep 2005 23:48:58 GMT

"Leythos" <void@nowhere.lan> wrote in message
news:MPG.1d9d059680e4dd98a0fd@news-server.columbus.rr.com...
> In article <433331d9$0$32652$da0feed9@news.zen.co.uk>,
> abuse@dopiaza.cabal.org.uk says...
> > Franklin <no_thanks@mail.com> wrote:
> > > My question is Should a firewall let all ICMP traffic through
> > > because there is no real risk if they do?

<snip>

> You don't
> need to allow PING, in fact why the heck would you want to allow PING,
> it's not like it's a valid test that your network is alive - we've got
> tons of commercial networks that block PING and none of the users even
> notice.

Undoubtedly the case. Although one could quote lots of instances where it's
been damned useful.

Well, *I* certainly can - usually when the web server has had a bit of a
funny turn, and one needs to tell if it's the server behind the firewall
(fat chance of fixing something from an adjacent continent), or whether it's
the ISP playing silly buggers with the connection (marginally more hope of
getting something sorted).

As goes firewalls - I'm sure that most have already seen it, but:
http://www.dilbert.com/comics/dilbert/archive/images/dilbert2813960050912.gif 

-- 
Hairy One Kenobi
Disclaimer: the opinions expressed in this opinion do not necessarily
reflect the opinions of the highly-opinionated person expressing the opinion
in the first place. So there!

Relevant Pages

  • Re: Route problem? - More info
    ... inclined to believe it's a routing problem, ... > I have recently replaced a commercial firewall appliance with an OpenBSD ... > FreeBSD web server, and I cannot ping the FreeBSD web server from the Open ...
    (comp.unix.bsd.openbsd.misc)
  • Re: Ok to let all ICMP traffic through firewall?
    ... > need to allow PING, in fact why the heck would you want to allow PING, ... *I* certainly can - usually when the web server has had a bit of a ... and one needs to tell if it's the server behind the firewall ... the opinions expressed in this opinion do not necessarily ...
    (comp.security.firewalls)
  • Re: Ok to let all ICMP traffic through firewall?
    ... > need to allow PING, in fact why the heck would you want to allow PING, ... *I* certainly can - usually when the web server has had a bit of a ... and one needs to tell if it's the server behind the firewall ... the opinions expressed in this opinion do not necessarily ...
    (alt.computer.security)
  • Re: PIX firewall and ICMP
    ... This is an excellent example of the trade offs of implementing a security ... to allow users to use ping for troubleshooting. ... >Please advise your opinions on my problem. ...
    (Security-Basics)
  • Route problem?
    ... I have recently replaced a commercial firewall appliance with an OpenBSD ... FreeBSD web server, and I cannot ping the FreeBSD web server from the Open ... Both machines can ping other machines on the network. ...
    (comp.unix.bsd.openbsd.misc)