Re: internet connection tester script

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] 

On Fri, Jan 28, 2011 at 7:19 AM, John R Pierce <pierce@xxxxxxxxxxxx> wrote:
> On 01/28/11 3:28 AM, kellyremo wrote:
>> bix.hu and www.yahoo.com are "pingable" test sites.
>> 127.0.0.1 could not be pinged [firewall drops all icmp]
>
>
> what sort of firewall drops packets on localhost ?!?
>
> yahoo.com is probably a poor choice of targets, as its a widely
> distributed group of servers, and you likely will be pinging different
> servers at different times, maybe even in different parts of the world.
> I would instead suggest using a target at your ISP or backbone provider.

But it's therefore *very* robust, and less likely to have a particular
host drop out.

If you'd like to be paranoid, it's sometimes handy to do a DNS lookup
first on your target, and ping the local gateway. those steps can be
automated from your local network configuration, they can *read* your
local configuration so they work on all hosts you manage, and if
things start failing, you can then have it run a "traceroute" against
the target.

It also carries some classic attack vectors, such as the "smurf" attack.

> btw, dropping 'all icmp' is bad practice.  Internet Control Message
> Protocol is used for a number of things, including informing
> applications when a host or port is not accessible.  if you drop this,
> you instead hang for minutes waiting for a response instead of quickly
> getting back a 'target {host|port} not reachable' error.
>
> anyways, if you drop all ICMP, you won't get any pings from anywheres.

Yup. That's why it's common to drop at external firewalls and blocked
by NAT from reaching inside your network, to protect less thoroughly
protected and critical hosts from distributed denial of service (DDOS)
 such as the now classic "ping flood" attack. There is generally no
good reason to allow external ICMP packets into your local network,
except maybe to allow an external monitoring system or VPN connection
to verify the presence of a few exposed hosts.
_______________________________________________
CentOS mailing list
CentOS@xxxxxxxxxx
http://lists.centos.org/mailman/listinfo/centos
[Index of Archives]     [CentOS]     [CentOS Announce]     [CentOS Development]     [CentOS ARM Devel]     [CentOS Docs]     [CentOS Virtualization]     [Carrier Grade Linux]     [Linux Media]     [Asterisk]     [DCCP]     [Netdev]     [Xorg]     [Linux USB]
  Powered by Linux