On Wed, 2007-12-05 at 16:00 -0800, Daniel B. Thurman wrote: > Craig White wrote: > > >Sent: Wednesday, December 05, 2007 3:33 PM > >To: For users of Fedora > >Subject: Re: Questions about ICMP > > > > > >On Wed, 2007-12-05 at 15:27 -0800, Daniel B. Thurman wrote: > >> Should ICMP packets be allowed both over the > >> Internet or should it be allowed to pass only in > >> the local networks? > >> > >> I have a firewall appliance and trying to make sure > >> that I am being secured properly. > >---- > >disabling icmp echo requests is a great feature for the ultra-paranoid > > > >Craig > > > >-- > > So... am I to read this as it is a good idea to disable all icmp > requests? I get a LOT of ICMP requests from the Internet probing > at my ports, which are disabled. This is a good idea? There is no reason for people to ICMP you unless they're just snooping to see what IPs are in use--and that can indicate an oncoming hack attempt. It is a very good idea to turn it off. I do...at least at my router/firewall. The Internet doesn't need to know I'm there. Internally I leave it enabled so I can verify my machines are alive (that and SNMP stuff). So if you're on my private network, pings are OK. I ignore attempts from the outside (in iptables parlance, "-j DROP"). ---------------------------------------------------------------------- - Rick Stevens, Principal Engineer rstevens@xxxxxxxxxxxx - - CDN Systems, Internap, Inc. http://www.internap.com - - - - Silence! Or I shall replace you with a very small shell script! - - - The Wizard of OS - ----------------------------------------------------------------------
