Why are ICMP requests allowed to the external NIC on whatever is hosting diynot.com? 
ICMP - diynot.com
- Thread starter godsoftandjoearedull
- Start date
Sponsored Links
To be pedantic, you can't anything but allow an ICMP request.
The action is optional though, so I think you're really wondering why ICMP requests aren't ignored.
Personally I don't think it matters, since you can't stealth the server anyway.
The action is optional though, so I think you're really wondering why ICMP requests aren't ignored.
Personally I don't think it matters, since you can't stealth the server anyway.
Yes you can.
No. I'm trying to understand why they would want them to be allowed through in the first place. I can't think of a reason why anyone on the public side would need to have the ability to even send a request through.
I'm not talking about hardening the actually resource hosting the site (i.e. the Apache app or the Linux O/S).
One for admin methinks, or he could just tell me to stop being nosey
.Very well - give me any IP address you like, and I'll transmit an ICMP request. You won't be able to stop it.
Allowed "through" what?
WTF? You can't remove someone's ability to send a request.
I have no idea what you mean by "hardening". It sounds like bullsh*t to me.
Sponsored Links
Well yes, point taken. I can't actually stop you sending it but I can stop it at least 1 hop before its reached its destination (more probably 2 or 3 hops dependant on my topology).
My border router, or my firewall or whatever filtering device/node you care to use it.
Like I said, send a request 'through' ie through the perimeter to wherever the webserver sits.
Not at all. That's why I said "one for admin methinks", I bet he'll know what server hardening is
.Indeed so. You can't. That's what I already said.
Well done. You got there in the end. However, you appear to think that when you ping "www.diynot.com" you're pinging the web server.
Indeed. But what you're now saying, in this post, is unlike what you said in your previous post.
You're about as good as reading as you are at writing.
I repeat: I have no idea what you by mean "hardening".
OK, lets find out what you think "hardening" means, Softus.
Incorrect. You appear to not understand that when I say, "Why are ICMP requests allowed to the external NIC on whatever is hosting diynot.com?", I am actually referring to the address allocated to the external NIC on the resource that is hosting diynot.com.you appear to think that when you ping "www.diynot.com" you're pinging the web server.
Incorrect. My previous post said, "I can’t think of a reason why anyone on the public side would need to have the ability to even send a request through."
Why thank you Softus. Your insults are as good as your grammar.
That's ok don't worry about it. There is no need for you to understand.I repeat: I have no idea what you by mean "hardening".
But most companies allow ICMP requests (e.g Ping and Tracert) to the DNS registered address for their web servers. After all the main purpose of ICMP is for network troubleshooting.Why are ICMP requests allowed to the external NIC on whatever is hosting diynot.com?
If a site is not responding, the obvious thing to do is ping the site or run tracert to see where the hold-up is. If you do this when the diynot site is going at a snails pace and these utilities show no problems, you know that the hold up is congestion in the diynot's servers and not an Internet problem.
I agree that many internet users would not know how to use these tools, but why deny them to those who do?
Yes I agree, but not from the public side. Network troubleshooting should be done from the internal LAN or via a VPN if remote support is required. Allowing ICMP requests\replies to your public IP address, from the public internet, is not standard security practice.But most companies allow ICMP requests (e.g Ping and Tracert) to the DNS registered address for their web servers. After all the main purpose of ICMP is for network troubleshooting.Why are ICMP requests allowed to the external NIC on whatever is hosting diynot.com?
Yes I agree with everything you're saying regarding diagnostics and support. However, if you're allowing ICMP echo requests/replies to/from your Public IPs a Pen Test will deem it "At Risk". A security audit of your FW rulebase(s) would also pull this as "a risk". If an application/protocol is not needed for functionality it should be removed. Minimising the attack surface area is a core principle of IT security.
Go away, little boy.
I understand perfectly well that you're incapable of making up your mind about what you're referring to, as illustrated by you mentioning web servers first:
OK. So you can't think of a reason right now, but I'm sure that with some effort you'll manage what countless other people are already able to do.
I can hardly believe you're pointing out grammatical errors, especially when they're merely spelling mistakes, but maybe you should put your own house in order first:
What a marvellous stream of pointless jargon. I'm sure that Admin will delight in ignoring it, since ignoring pings must be about the least important thing on his endless list of stuff to do with the web site.
I take that as an admission that you do not know what it means. Though, if you gave some information as to your professional knowledge on the subject, as compared with what you have just picked up by trawling the internet, I might be more inclined to take your opinions more seriously.
2
2scoops0406
Hardening, simply means upping the security, by which I take it the original post refers to the fact that you can ping DIYNOT and by dint of this is asking the question as to why ICMP packets are not dropped by the DIYNOT firewall, beit router, server etc.
I think you've hit the nail on the head there and that's where my conversation with him on this matter will end. He obviously has no experience of the IT security industry, this is blatantly clear from his statements and the terminology he uses. I will not waste anymore of my time educating him any further.
I wonder who was getting abusive.....
..and why...Sponsored Links
