October 14th, 2003, 09:49 PM
To allow or not to allow
A fellow worker and myself are having a debate over whether it is good or bad to allow ICMP echo requests (pings).
I can see blocking them to stop or prevent DDOS but other than that what benefits are their to blocking them.
We are talking about the average home user BTW.
October 14th, 2003, 09:55 PM
Well for the average home user, unless you have a server running, it won't matter. I mean your doing nothing than surfing the net, and unless your tech savy, you wouldn't know how to stop ICMP anyway.
October 14th, 2003, 10:03 PM
ICMP allows for someone to determine if a host(s) exist. Some people will not go further than pinging a machine for the purpose of determining if a host lives and if it has any ports open. IMHO, there is very little reason as to why one needs ping enabled. Certainly you can allow other ICMP types out for troubleshooting purposes or use other protocols but IMHO I don't see as much of a need for it today as previously.
Now, you can configure firewalls (like IPTables) to allow pings as responses from "legit" hosts (aka IRC servers and such -- offhand that's the only service I would see a reason for a ping) and as "return packets" from existing connections.
October 14th, 2003, 10:41 PM
1) Harder to map your internal network.
2) Worms like welchia/nachia will not attack a host unless it can ping it. No ping, no bling.
3) ICMP can be used to tunnel other data (see loki).
4) Many other major networks disable ICMP, making it of declining importance to you (you can't ping them, why then allow ping out).
5) ICMP can be used for DOS attacks; however, properly configured routers won't allow this to happen.
The big thing for me, in general, is that you don't really need it, so why allow it? If you are running or allowing something that you aren't using, someone will eventually come up with a way to use it against you, so why even leave it open?
There is only one constant, one universal, it is the only real truth: causality. Action. Reaction. Cause and effect...There is no escape from it, we are forever slaves to it. Our only hope, our only peace is to understand it, to understand the 'why'. 'Why' is what separates us from them, you from me. 'Why' is the only real social power, without it you are powerless.
(Merovingian - Matrix Reloaded)
October 14th, 2003, 10:57 PM
Well it is really dependant on what is being firewalled. In an enterprise firewall setup (segregating networks/subnets etc...), I personally dont mind allowing icmp requests through, as long as there is a strong enough justification (which usually there isnt!!). But if i do, it is only echo request/reply.
But for a personal firewall setup, I allow/disallow specific icmp message types.
For example, I have setup firewall rules allowing the following icmp types only:
INCOMING - Allow icmp types 0, 3, 4, 11, 12, 14, 16, 18
OUTBOUND - Allow icmp types 4, 8, 12, 13, 15, 17
Setting your firewall up this way will allow you to ping, nbstat, tracert...but no one will be able to ping you, nbtstat you etc....
If you are interested in reading up on all of the icmp message types, click here .
[glowpurple]There were so many fewer questions when the stars where still just the holes to heaven - JJ[/glowpurple] [gloworange]I sure could use a vacation from this bull$hit, three ringed circus side show of freaks. - Tool. [/gloworange]
October 15th, 2003, 02:35 AM
That's an interesting question indeed. My firewall blocks ICMPs every few minutes from my service provider (according to the backtrace). That's rather annoying since VisualZone blinks at me every couple or minutes or so after each ICMP attempt. That said, is there a way to disable ICMP beyond firewalling, and will it hurt anything to do so?
October 15th, 2003, 01:39 PM
Thanks for all the replies. I agree with the reasons to block it but IMHO it really doesn't matter if your a normal home user. Our enterprise does block it but when I am at home playing my video games, I can care less if someone decides to ping me.
Thansk Soggy for the link. I am pretty familiar with the different ICMP packet types.
How is it harder map map an internal network if your only blocking echo requests from the external network?