* Allowing ping
@ 2005-10-25 17:32 Askar Ali
2005-10-26 15:55 ` /dev/rob0
0 siblings, 1 reply; 4+ messages in thread
From: Askar Ali @ 2005-10-25 17:32 UTC (permalink / raw)
To: netfilter
hi list,
I have a very simple question, presently we are blocking icmp
"ping" on our servers. But as far I can userderstand its not very good
practice or providing a good security by blocking ping request. see one
can ping www.xyz.com and get the reply back.
However Before allowing ping "echo-request" I just want to confirm
whether doing ...
iptables -A INPUT -p icmp --icmp-type echo-request -j ACCEPT
would be enough or doing some rate limiting would be better?
Any help in this regard will greatly appreciated.
regards
Askar Ali
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: Allowing ping
2005-10-25 17:32 Allowing ping Askar Ali
@ 2005-10-26 15:55 ` /dev/rob0
2005-10-26 15:59 ` Pablo Sanchez
2005-10-26 16:24 ` Askar
0 siblings, 2 replies; 4+ messages in thread
From: /dev/rob0 @ 2005-10-26 15:55 UTC (permalink / raw)
To: netfilter
On Tuesday 2005-October-25 12:32, Askar Ali wrote:
> I have a very simple question, presently we are blocking icmp
> "ping" on our servers. But as far I can userderstand its not very
> good practice or providing a good security by blocking ping request.
I agree. Blocking pings is like shooting yourself in the foot. You
never know when you will need ping. Some think it's a good idea to try
to hide. Rubbish, if you have any open services, the bots and worms
will find you anyway.
> see one can ping www.xyz.com and get the reply back.
>
> However Before allowing ping "echo-request" I just want to confirm
> whether doing ...
>
> iptables -A INPUT -p icmp --icmp-type echo-request -j ACCEPT
>
> would be enough or doing some rate limiting would be better?
I think a reasonable --limit is not a bad idea, but there is no
objective measurement of "better". I use a --limit on incoming ping
requests. It might help in the event of a flood ping attack, and you
can still ping to verify your connectivity when you need it.
--
mail to this address is discarded unless "/dev/rob0"
or "not-spam" is in Subject: header
^ permalink raw reply [flat|nested] 4+ messages in thread
* RE: Allowing ping
2005-10-26 15:55 ` /dev/rob0
@ 2005-10-26 15:59 ` Pablo Sanchez
2005-10-26 16:24 ` Askar
1 sibling, 0 replies; 4+ messages in thread
From: Pablo Sanchez @ 2005-10-26 15:59 UTC (permalink / raw)
To: /dev/rob0, netfilter
> -----Original Message-----
> From: netfilter-bounces@lists.netfilter.org
> [mailto:netfilter-bounces@lists.netfilter.org]On Behalf Of /dev/rob0
> Sent: Wednesday, October 26, 2005 11:56 AM
> To: netfilter@lists.netfilter.org
> Subject: Re: Allowing ping
>
> I think a reasonable --limit is not a bad idea, but there is no
> objective measurement of "better". I use a --limit on incoming ping
> requests. It might help in the event of a flood ping attack, and you
> can still ping to verify your connectivity when you need it.
I believe it marginally helps during an attack. If you're DDOS, the packets are still reaching your NIC so you're kinda hosed anyway.
---
Pablo Sanchez - Blueoak Database Engineering, Inc
Ph: 819.459.1926 Toll free: 888.459.1926
Cell: 819.664.9118 Pgr: pablo_p@blueoakdb.com
Fax: 603.720.7723 (US) Fax: 514.371.1255 (Canada)
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: Allowing ping
2005-10-26 15:55 ` /dev/rob0
2005-10-26 15:59 ` Pablo Sanchez
@ 2005-10-26 16:24 ` Askar
1 sibling, 0 replies; 4+ messages in thread
From: Askar @ 2005-10-26 16:24 UTC (permalink / raw)
To: netfilter
hi rob
would you pls share your iptables rules that dealng incoming pings ?
On 10/26/05, /dev/rob0 <rob0@gmx.co.uk> wrote:
> On Tuesday 2005-October-25 12:32, Askar Ali wrote:
> > I have a very simple question, presently we are blocking icmp
> > "ping" on our servers. But as far I can userderstand its not very
> > good practice or providing a good security by blocking ping request.
>
> I agree. Blocking pings is like shooting yourself in the foot. You
> never know when you will need ping. Some think it's a good idea to try
> to hide. Rubbish, if you have any open services, the bots and worms
> will find you anyway.
>
> > see one can ping www.xyz.com and get the reply back.
> >
> > However Before allowing ping "echo-request" I just want to confirm
> > whether doing ...
> >
> > iptables -A INPUT -p icmp --icmp-type echo-request -j ACCEPT
> >
> > would be enough or doing some rate limiting would be better?
>
> I think a reasonable --limit is not a bad idea, but there is no
> objective measurement of "better". I use a --limit on incoming ping
> requests. It might help in the event of a flood ping attack, and you
> can still ping to verify your connectivity when you need it.
> --
> mail to this address is discarded unless "/dev/rob0"
> or "not-spam" is in Subject: header
>
>
--
Unix is very simple, but it takes a genius to understand the simplicity.
(Dennis Ritchie)
^ permalink raw reply [flat|nested] 4+ messages in thread
end of thread, other threads:[~2005-10-26 16:24 UTC | newest]
Thread overview: 4+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2005-10-25 17:32 Allowing ping Askar Ali
2005-10-26 15:55 ` /dev/rob0
2005-10-26 15:59 ` Pablo Sanchez
2005-10-26 16:24 ` Askar
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.