hi rob would you pls share your iptables rules that dealng incoming pings ? On 10/26/05, /dev/rob0 <rob0@xxxxxxxxx> wrote: > On Tuesday 2005-October-25 12:32, Askar Ali wrote: > > I have a very simple question, presently we are blocking icmp > > "ping" on our servers. But as far I can userderstand its not very > > good practice or providing a good security by blocking ping request. > > I agree. Blocking pings is like shooting yourself in the foot. You > never know when you will need ping. Some think it's a good idea to try > to hide. Rubbish, if you have any open services, the bots and worms > will find you anyway. > > > see one can ping www.xyz.com and get the reply back. > > > > However Before allowing ping "echo-request" I just want to confirm > > whether doing ... > > > > iptables -A INPUT -p icmp --icmp-type echo-request -j ACCEPT > > > > would be enough or doing some rate limiting would be better? > > I think a reasonable --limit is not a bad idea, but there is no > objective measurement of "better". I use a --limit on incoming ping > requests. It might help in the event of a flood ping attack, and you > can still ping to verify your connectivity when you need it. > -- > mail to this address is discarded unless "/dev/rob0" > or "not-spam" is in Subject: header > > -- Unix is very simple, but it takes a genius to understand the simplicity. (Dennis Ritchie)
