cannot connect

Mark Andrews Mark_Andrews at
Fri Sep 29 23:04:20 UTC 2006

> In article <efi6t1$1hh7$1 at>,
>  Mark Andrews <Mark_Andrews at> wrote:
> > > Ping is generally a bad connection test. It uses ICMP which most firewall
> s 
> > > wi
> > > ll
> > > block.
> > 
> > 	Any sane firewall will accept ICMP.  TCP and UDP don't
> > 	operate correctly if you block ICMP.
> > 
> > 	The only problem with ICMP/ECHO was with directed broadcasts
> > 	and any router purchased in the last 10 years has support
> > 	for directed broadcasts off by default.
> With respect there was also the ping of death, which is a IP
	problem not a ICMP problem.  You could do the same with UDP,
	TCP or anything else carried on IP.

> and many net admins fear 
> DDoS with ping so think they should block it.

	You can DDoS with any traffic you let through.  ICMP is
	not special here.  Filtering ICMP doesn't stop you being
	As I said, blocking ICMP is irrational.  It doesn't really
	protect anything and it breaks TCP and UDP, both of which
	depend in it for correct operation.  It also hinders diagnosis
	of network problems.

	Similarly blocking UDP/TCP traffic just on from ports is


> Sam

ISC Training!  October 16-20, 2006, in the San Francisco Bay Area,
covering topics from DNS to DHCP.  Email training at
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: Mark_Andrews at

More information about the bind-users mailing list