[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: pingd >> Should it be ported on Debian??

> > Anyway, the author of the site is working on a security focussed OS
> > based on Linux.  One of the "improvements" that he has made was a ping
> > deamon wich can be controlled via the TCP wrappers.

> I'm not sure I see any great benefit from it though - the kernel still has
> to understand ICMP (for port unreachables etc), so all it achieves is
> a few bits of ICMP response code from the kernel. ICMP filtering is doable
> ipchains etc anyway. Debian don't ship heavily patched kernels, so unless
> happened upstream it's unlikely to appear in Debian.

I'd say it's not worth doing because, TCP wrappers really is designed for
authorising connections, and with ICMP you do not have a TCP connection
between Source IP/port and Destination IP/port, so you cannot use ident or
similar.  It sounds a broken idea, you don't use wrappers for authorisation
of UDP protocols for instance, without the 3-way handshake there's no
defense against packets with spoofed source addresses.

But perhaps this daemon is actually  providing a  different service,
allowing test of inetd and higher levels of stack (not unknown for a machine
to respond to ping, even if it's hung).  Even then I'm not sure what value
it has, as if you run a web server for instance, your best check that it's
up and available, is to use expect(1) and telnet onto port 80.


Reply to: