Re: [tlug] Ping vs www server

["Josh Glover" <jmglov@example.com>]

On 19/04/2008, Stephen J. Turnbull <stephen@example.com> wrote:
> Josh Glover writes:
>
>   > Looking down the list of ICMP message types on p71 of TCP/IPI:VI[1], I
>   > see very little that is used by modern routing protocols.
>
> Look, let's put it this way.  If you block ICMP, you're not part of
>  the solution, you're part of the problem, because you are saying "I'm
>  going to *use* the Internet, but not *be part of* it.

Wait for it...

>  As I wrote earlier, *if* you walk that
>  walk (i.e., your internal hosts do not have access to the Internet
>  except via application gateways which do implement the RFCs), no
>  problem.

This is my situation indeed. Were I responsible for gateways, I'd
allow ICMP to the gateways themselves (including echo), but not behind
them.

>  But the policy of allowing ports 25 and 80 through to
>  internal servers, while blocking ICMP, is evil.

Yeah, no ports are open through to machines on my local network, and I
don't control the NATting gateway.

Sorry, I should be more clear about what I am advocating and why. Here it is:

1. Private machines should drop all ICMP on the floor, because if it
gets through the gateway, it does not belong on the local network
anyway
2. Public servers should drop echo message types (0, IIRC) on the
floor while dealing with the rest of ICMP
3. Gateways should play the full ICMP game (including echo), but not
allow it past them

Note that my opinion for (2) was changed during this thread by the
knowledge that ICMP does still have something to do on the Internet,
which I thought was not really the case any more.

I agree with everything you say about standards compliance, of course.
But I also think that security concerns must trump standards
compliance most of the time.

-- 
Cheers,
Josh