Re: Ok to let all ICMP traffic through firewall?

• Previous message: jameshanley39_at_yahoo.co.uk: "Re: Ok to let all ICMP traffic through firewall?"
• In reply to: jameshanley39_at_yahoo.co.uk: "Re: Ok to let all ICMP traffic through firewall?"
• Next in thread: Peter Boosten: "Re: Ok to let all ICMP traffic through firewall?"
• Reply: Peter Boosten: "Re: Ok to let all ICMP traffic through firewall?"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Date: 22 Sep 2005 21:40:02 -0500

<jameshanley39@yahoo.co.uk> wrote in message
news:1127439270.085843.66150@z14g2000cwz.googlegroups.com...
> and they'd still work fine if you allowed ICMPs. If allowing ICMPs
> were dangerous then alarms would've been sent off long ago. ICMP has
> been aroudn for ages, there are no new developments to the ICMP
> protocol. People that know all about how it works also know of no
> alarms saying it can be attacked. People that know ICMP presumably
> allow it because they know it's as dangerous as moving an icon slightly
> (which might be very scary for a middle aged woman). (though against
> me, perhaps an OS may rewrite teh part that repsonds to ICMP and there
> might be an exploit in their code, but similarly there may be an
> exploit in their code that is rejecting ICMP)
>
> As that article argued, besides breaking RFCs and breaking the
> protocols,
>
> Besides all those arguments in the article and the technical problems
> with not responding to ICMP (just because your setup doesn't include
> situations where you'll run into the problems, does not mean the
> problems do not exist).
>
> Suppose you want to know if a computer is online. A safe way is to ping
> it. you don't want to set up a service running on the computer and
> conect to it. ping tests that other comps can communicate with the
> comp. it's a necessary diagnostic test. What's the alternative?
> user makes an outgoing connection? suppose he can't for some reason.
> you want to know if he is online
>
> ping is a very convenient diagnostic tool.
>

Yes it is, ever heard of PING NMAP?

Google it and security and firewalls.

• Previous message: jameshanley39_at_yahoo.co.uk: "Re: Ok to let all ICMP traffic through firewall?"
• In reply to: jameshanley39_at_yahoo.co.uk: "Re: Ok to let all ICMP traffic through firewall?"
• Next in thread: Peter Boosten: "Re: Ok to let all ICMP traffic through firewall?"
• Reply: Peter Boosten: "Re: Ok to let all ICMP traffic through firewall?"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Relevant Pages Re: Removing ping/icmp from a network ... A ping sweep isn't the only way to do network exploration. ... ICMP is a protocol, not a service. ... Security by design is always best, but hiding the presence of a device ... (Security-Basics) RE: ICMP (Ping) ... You are correct about the kinder and gentler internet. ... network to deal with I might share your opinion. ... I believe you meant ICMP echo ... Subject: ICMP (Ping) ... (Security-Basics) Re: help with network problem ... I can browser the site using http in all the other computers. ... >While ping serves to test tcp/ip connectivity, ... ICMP messages, delivered in ... >> (Only that website so far). ... (Security-Basics) AW: ICMP (Ping) ... > someone's going to randomly probe for IP's to just randomly attack. ... radar if someone is just ping sweeping net blocks. ... > annoyed at how many hosts do not respond to ICMP echo. ... (Security-Basics) RE: ICMP (Ping) ... So blocking ICMP is just a assurance that some of the hackers ... If they are going to attack you randomly, ... > as not going to change because you don't reply to ping requests. ... > No, they'd probe for vulnerabilities by domain or IP, the ping response ... (Security-Basics)