On Tuesday 2005-October-25 12:32, Askar Ali wrote:
> I have a very simple question, presently we are blocking icmp
> "ping" on our servers. But as far I can userderstand its not very
> good practice or providing a good security by blocking ping request.
I agree. Blocking pings is like shooting yourself in the foot. You
never know when you will need ping. Some think it's a good idea to try
to hide. Rubbish, if you have any open services, the bots and worms
will find you anyway.
> see one can ping www.xyz.com and get the reply back.
>
> However Before allowing ping "echo-request" I just want to confirm
> whether doing ...
>
> iptables -A INPUT -p icmp --icmp-type echo-request -j ACCEPT
>
> would be enough or doing some rate limiting would be better?
I think a reasonable --limit is not a bad idea, but there is no
objective measurement of "better". I use a --limit on incoming ping
requests. It might help in the event of a flood ping attack, and you
can still ping to verify your connectivity when you need it.
--
mail to this address is discarded unless "/dev/rob0"
or "not-spam" is in Subject: header
