Re: blocking icmp...
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On Tue, May 27, 2003 at 10:51:15AM -0600, Gary Hennigan wrote:
> For a server I'd agree. For a home system I'm not sure there's any
> issue.
Yeah, and you've never taken flak from your boss from sending a truck
out to go fix equipment that's functioning because everybody using the
equipment in question is blocking ICMP, making it impossible to see if
anything's making it to the "last mile." Having done tech support for
@Home before, I can safely say people blocking ICMP cause support folk
more frustration and grief than walking a customer through
reinstalling a network adapter in Windows 2000 when the customer
doesn't know how to use a mouse. Yes, I've had that happen, more than
once.
> I've been blocking all incoming, non-stateful, ICMP for a
> number of years on my cable-connected LAN and have never had a
> problem, but I don't run any type of globally accessible server.
Don't do this! If you were on @Home, you are one of the people who
damaged me for life by doing this. 8:oP
> Personally, I'd rather make my presence on the 'net as hard to
> discover as possible. If you allow echo requests it's a simple matter
> for someone to run nmap, for example, to find out that a particular IP
> address is valid. If you block such messages any cracker will likely
> just move on to the next poor slob when your IP address doesn't show
> up on his nmap scan.
Better idea: Keep patched instead of relying on obscurity.
- --
.''`. Baloo Ursidae <baloo@ursine.dyndns.org>
: :' : proud Debian admin and user
`. `'`
`- Debian - when you have better things to do than fix a system
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.2 (GNU/Linux)
iD8DBQE+1F1RJ5vLSqVpK2kRAvYoAKDMF4Z4YyipdwjDQSvxgrZ/Skyd5gCg2o1U
2gU2Wn6AMp00JZD1RkwJeoI=
=GTG+
-----END PGP SIGNATURE-----
Reply to: