Re: Ok to let all ICMP traffic through firewall?
From: Hairy One Kenobi (abuse_at_[127.0.0.1)
Date: 09/24/05
- Next message: Chris: "Re: Ok to let all ICMP traffic through firewall?"
- Previous message: Bob Eager: "Re: Ok to let all ICMP traffic through firewall?"
- In reply to:(deleted message) Leythos: "Re: Ok to let all ICMP traffic through firewall?"
- Next in thread: Leythos: "Re: Ok to let all ICMP traffic through firewall?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Sat, 24 Sep 2005 13:07:04 GMT
"Leythos" <void@nowhere.lan> wrote in message
news:MPG.1d9d1560b23ca33698a0fe@news-server.columbus.rr.com...
> In article <KpHYe.4417$_56.2350@newsfe1-win.ntli.net>, abuse@[127.0.0.1]
> says...
<snip>
> > Undoubtedly the case. Although one could quote lots of instances where
it's
> > been damned useful.
> >
> > Well, *I* certainly can - usually when the web server has had a bit of a
> > funny turn, and one needs to tell if it's the server behind the firewall
> > (fat chance of fixing something from an adjacent continent), or whether
it's
> > the ISP playing silly buggers with the connection (marginally more hope
of
> > getting something sorted).
> >
> > As goes firewalls - I'm sure that most have already seen it, but:
> >
http://www.dilbert.com/comics/dilbert/archive/images/dilbert2813960050912.gif
>
> Funny, I don't expose our servers to Ping, and I seem to be able to
> monitor them all the time. If I need to expose PING to an external
> source I expose it to a specific IP and block all others.
I should have clarified (thought that it was clear from the context.. ah
well ;o)
This is monitorin my services from *outside* of the network.
Like most non-ISPs, I don't have a dedicated 24x7 staff to monitor systems
(this is a home network, before someone starts slinging companies that *do*
have this requirement).
On the Ping front, you'll find that the companies that you're hosting
(assuming that's what your part of the network does) are unlikely to appear
on many search engines - at least, that *used* to be the case - a "cheap"
PING before even attempting an HTTP GET.
Together, those made a pretty compelling case for me to switch ICMP back
on - I didn't (and still don't) see it as a major way threat to my firewall
(and, after all, that's as far as the packet's going to get, right?
Certainly not into the DMZ...)
H1K
- Next message: Chris: "Re: Ok to let all ICMP traffic through firewall?"
- Previous message: Bob Eager: "Re: Ok to let all ICMP traffic through firewall?"
- In reply to:(deleted message) Leythos: "Re: Ok to let all ICMP traffic through firewall?"
- Next in thread: Leythos: "Re: Ok to let all ICMP traffic through firewall?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
