Re: Allowing ping

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



hi rob

would you pls share your iptables rules that dealng incoming pings ?


On 10/26/05, /dev/rob0 <rob0@xxxxxxxxx> wrote:
> On Tuesday 2005-October-25 12:32, Askar Ali wrote:
> > I have a very simple question, presently we are blocking icmp
> > "ping" on our servers. But as far I can userderstand its not very
> > good practice or providing a good security by blocking ping request.
>
> I agree. Blocking pings is like shooting yourself in the foot.  You
> never know when you will need ping. Some think it's a good idea to try
> to hide. Rubbish, if you have any open services, the bots and worms
> will find you anyway.
>
> > see one can ping www.xyz.com and get the reply back.
> >
> > However Before allowing ping "echo-request" I just want to confirm
> > whether doing ...
> >
> > iptables -A INPUT -p icmp --icmp-type echo-request -j ACCEPT
> >
> > would be enough or doing some rate limiting would be better?
>
> I think a reasonable --limit is not a bad idea, but there is no
> objective measurement of "better". I use a --limit on incoming ping
> requests. It might help in the event of a flood ping attack, and you
> can still ping to verify your connectivity when you need it.
> --
>     mail to this address is discarded unless "/dev/rob0"
>     or "not-spam" is in Subject: header
>
>


--
Unix is very simple, but it takes a genius to understand the simplicity.
(Dennis Ritchie)



[Index of Archives]     [Linux Netfilter Development]     [Linux Kernel Networking Development]     [Netem]     [Berkeley Packet Filter]     [Linux Kernel Development]     [Advanced Routing & Traffice Control]     [Bugtraq]

  Powered by Linux