Re: icmp filtering (was: ssh tunneling)

To: debian-user@lists.debian.org
Subject: Re: icmp filtering (was: ssh tunneling)
From: Derrick 'dman' Hudson <dman@dman13.dyndns.org>
Date: Tue, 26 Aug 2003 16:54:06 -0400
Message-id: <[🔎] 20030826205406.GA7860@dman13.dyndns.org>
Mail-followup-to: debian-user@lists.debian.org
In-reply-to: <[🔎] 20030826184032.GA26910@doorstop.net>
References: <[🔎] C49522BBA18FD6118D7900A0C92BB5917B49B9@CCIA_PDC> <[🔎] big059$5s7$1@sea.gmane.org> <[🔎] 20030826184032.GA26910@doorstop.net>

On Tue, Aug 26, 2003 at 11:40:32AM -0700, Vineet Kumar wrote:
| * P. Kallakuri (praveen@unlserve.unl.edu) [030826 11:06]:
| > by default ICMP traffic is disabled and when i setup a firewall in our 
| > research lab about 3 years back, thats how i left it. our research 
| > machines were open on the internet when we got a series of nasty 
| > infiltration attempts. i could not figure out why someone would do that 
| > with research computers in the university system. anyways we had years 
| > of valuable research data on the machines that were being compromised, 
| > so i (having got nothing to do with networking or administration) read 
| > about and setup this gateway/firewall. i was aware that disabling ICMP 
| > would keep outside machines wondering whatever happened to their 
| > traffic. but if thats what it takes to keep out some guy who runs a 
| > "find-all-live-hosts" discovery script (thats how most of the machines 
| > in our university system were hacked into), then we have to do it. our 
| > tech guys really don't bother about research networks. but really if 
| > there is a more effective mechanizm to keep intruders from knowing 
| > whether a hack-candidate exists, i would be more than willing to do that.
| 
| This practice of trying to become invisible is known as "security
| through obscurity".  There is no inherent danger in being pingable, and
| there is no inherent security in not being pingable.  There are myriad
| other ways to tell if a host is up on a given address.

Correct.

| (An ICMP ping

('ping' is the program.  The ICMP packet is an "Echo Request".)

ping is just _one_ usage of ICMP.  ICMP consists of many different
types of packets.  If you really want to block echo requests, you can
do that without blocking the rest of the IMCP packets.

-D

-- 
The heart is deceitful above all things
    and beyond cure.
    Who can understand it?
 
I the Lord search the heart
    and examine the mind,
to reward a man according to his conduct,
    according to what his deeds deserve.
 
        Jeremiah 17:9-10
 
http://dman13.dyndns.org/~dman/

Attachment: pgprDMzLlHKYm.pgp
Description: PGP signature

Reply to:

References:
- RE: ssh tunneling
  - From: "Joyce, Matthew" <MJoyce@ccia.org.au>
- Re: ssh tunneling
  - From: "P. Kallakuri" <praveen@unlserve.unl.edu>
- icmp filtering (was: ssh tunneling)
  - From: Vineet Kumar <debian-user@virtual.doorstop.net>

Prev by Date: Re: telnet localhost slow, telnet 127.0.0.1 ok
Next by Date: Anyone packaging this yet?
Previous by thread: icmp filtering (was: ssh tunneling)
Next by thread: Re: ssh tunneling
Index(es):
- Date
- Thread