cannot connect

Dawn Connelly dawn at zapata.org
Sat Sep 30 00:34:26 UTC 2006 

Since when have network security people claimed to be rational?  Seems to me
that we are pretty notorious for being any but rational. It's in our job
description to overreact. :)

Discussing if it's rational or not isn't really the point. The point is that
paranoid firewall managers exist so using ping as the defacto testing method
doesn't really give a definitive answer. Ping tests if ICMP is open. It doesn't
test to see if port 80 is open. It's great for testing routing issues, but
isn't very effective at troubleshooting anything else.  This particular scenario
is a great example- the web admin confirmed that ICMP is blocked at the
gateways.

But seems like we have gotten extremely off topic for this particular forum.

Quoting Mark Andrews <Mark_Andrews at isc.org>:

>
> > In article <efi6t1$1hh7$1 at sf1.isc.org>,
> >  Mark Andrews <Mark_Andrews at isc.org> wrote:
> >
> > > > Ping is generally a bad connection test. It uses ICMP which most
> firewall
> > s
> > > > wi
> > > > ll
> > > > block.
> > >
> > > 	Any sane firewall will accept ICMP.  TCP and UDP don't
> > > 	operate correctly if you block ICMP.
> > >
> > > 	The only problem with ICMP/ECHO was with directed broadcasts
> > > 	and any router purchased in the last 10 years has support
> > > 	for directed broadcasts off by default.
> >
> > With respect there was also the ping of death,
>
> 	http://insecure.org/sploits/ping-o-death.html which is a IP
> 	problem not a ICMP problem.  You could do the same with UDP,
> 	TCP or anything else carried on IP.
>
> > and many net admins fear
> > DDoS with ping so think they should block it.
>
> 	You can DDoS with any traffic you let through.  ICMP is
> 	not special here.  Filtering ICMP doesn't stop you being
> 	DDoS'd.
>
> 	As I said, blocking ICMP is irrational.  It doesn't really
> 	protect anything and it breaks TCP and UDP, both of which
> 	depend in it for correct operation.  It also hinders diagnosis
> 	of network problems.
>
> 	Similarly blocking UDP/TCP traffic just on from ports is
> 	irrational.
>
> 	Mark
>
> > Sam
>
>
> --
> ISC Training!  October 16-20, 2006, in the San Francisco Bay Area,
> covering topics from DNS to DHCP.  Email training at isc.org.
> --
> Mark Andrews, ISC
> 1 Seymour St., Dundas Valley, NSW 2117, Australia
> PHONE: +61 2 9871 4742                 INTERNET: Mark_Andrews at isc.org
>
>

More information about the bind-users mailing list