Why are ICMP requests allowed to the external NIC on whatever is hosting diynot.com?
Yes you can.To be pedantic, you can't anything but allow an ICMP request.
No. I'm trying to understand why they would want them to be allowed through in the first place. I can't think of a reason why anyone on the public side would need to have the ability to even send a request through.The action is optional though, so I think you're really wondering why ICMP requests aren't ignored.
I'm not talking about hardening the actually resource hosting the site (i.e. the Apache app or the Linux O/S).Personally I don't think it matters, since you can't stealth the server anyway.
Very well - give me any IP address you like, and I'll transmit an ICMP request. You won't be able to stop it.Yes you can.To be pedantic, you can't [do] anything but allow an ICMP request.
Allowed "through" what?No. I'm trying to understand why they would want them to be allowed through in the first place.The action is optional though, so I think you're really wondering why ICMP requests aren't ignored.
WTF? You can't remove someone's ability to send a request.I can't think of a reason why anyone on the public side would need to have the ability to even send a request through.
I have no idea what you mean by "hardening". It sounds like bullsh*t to me.I'm not talking about hardening the actually resource hosting the site (i.e. the Apache app or the Linux O/S).Personally I don't think it matters, since you can't stealth the server anyway.
Well yes, point taken. I can't actually stop you sending it but I can stop it at least 1 hop before its reached its destination (more probably 2 or 3 hops dependant on my topology).Very well - give me any IP address you like, and I'll transmit an ICMP request. You won't be able to stop it.
My border router, or my firewall or whatever filtering device/node you care to use it.Allowed "through" what?
Like I said, send a request 'through' ie through the perimeter to wherever the webserver sits.WTF? You can't remove someone's ability to send a request.
Not at all. That's why I said "one for admin methinks", I bet he'll know what server hardening is .I have no idea what you mean by "hardening". It sounds like bullsh*t to me.
Indeed so. You can't. That's what I already said.I can't actually stop you sending it...
Well done. You got there in the end. However, you appear to think that when you ping "www.diynot.com" you're pinging the web server.My border router, or my firewall or whatever filtering device/node you care to use it.Allowed "through" what?
Indeed. But what you're now saying, in this post, is unlike what you said in your previous post.Like I said, send a request 'through' ie through the perimeter to wherever the webserver sits.WTF? You can't remove someone's ability to send a request.
You're about as good as reading as you are at writing.Not at all. That's why I said "one for admin methinks", I bet he'll know what server hardening is.I have no idea what you mean by "hardening". It sounds like bullsh*t to me.
OK, lets find out what you think "hardening" means, Softus.I repeat: I have no idea what you by mean "hardening".
Incorrect. You appear to not understand that when I say, "Why are ICMP requests allowed to the external NIC on whatever is hosting diynot.com?", I am actually referring to the address allocated to the external NIC on the resource that is hosting diynot.com.you appear to think that when you ping "www.diynot.com" you're pinging the web server.
Incorrect. My previous post said, "I can’t think of a reason why anyone on the public side would need to have the ability to even send a request through."Indeed. But what you're now saying, in this post, is unlike what you said in your previous post.
Why thank you Softus. Your insults are as good as your grammar.You're about as good as reading as you are at writing.
That's ok don't worry about it. There is no need for you to understand.I repeat: I have no idea what you by mean "hardening".
But most companies allow ICMP requests (e.g Ping and Tracert) to the DNS registered address for their web servers. After all the main purpose of ICMP is for network troubleshooting.Why are ICMP requests allowed to the external NIC on whatever is hosting diynot.com?
Yes I agree, but not from the public side. Network troubleshooting should be done from the internal LAN or via a VPN if remote support is required. Allowing ICMP requests\replies to your public IP address, from the public internet, is not standard security practice.But most companies allow ICMP requests (e.g Ping and Tracert) to the DNS registered address for their web servers. After all the main purpose of ICMP is for network troubleshooting.Why are ICMP requests allowed to the external NIC on whatever is hosting diynot.com?
Yes I agree with everything you're saying regarding diagnostics and support. However, if you're allowing ICMP echo requests/replies to/from your Public IPs a Pen Test will deem it "At Risk". A security audit of your FW rulebase(s) would also pull this as "a risk". If an application/protocol is not needed for functionality it should be removed. Minimising the attack surface area is a core principle of IT security.If a site is not responding, the obvious thing to do is ping the site or run tracert to see where the hold-up is. If you do this when the diynot site is going at a snails pace and these utilities show no problems, you know that the hold up is congestion in the diynot's servers and not an Internet problem.
I agree that many internet users would not know how to use these tools, but why deny them to those who do?
Go away, little boy.OK, lets find out what you think "hardening" means, Softus.
I understand perfectly well that you're incapable of making up your mind about what you're referring to, as illustrated by you mentioning web servers first:You appear to not understand that when I say, "Why are ICMP requests allowed to the external NIC on whatever is hosting diynot.com?", I am actually referring to the address allocated to the external NIC on the resource that is hosting diynot.com.
Like I said, send a request 'through' ie through the perimeter to wherever the webserver sits.
OK. So you can't think of a reason right now, but I'm sure that with some effort you'll manage what countless other people are already able to do.My previous post said, "I can’t think of a reason why anyone on the public side would need to have the ability to even send a request through."
I can hardly believe you're pointing out grammatical errors, especially when they're merely spelling mistakes, but maybe you should put your own house in order first:Your insults are as good as your grammar.
My border router, or my firewall or whatever filtering device/node you care to use it.
What a marvellous stream of pointless jargon. I'm sure that Admin will delight in ignoring it, since ignoring pings must be about the least important thing on his endless list of stuff to do with the web site.A security audit of your FW rulebase(s) would also pull this as "a risk"....Minimising the attack surface area is a core principle of IT security.
I take that as an admission that you do not know what it means. Though, if you gave some information as to your professional knowledge on the subject, as compared with what you have just picked up by trawling the internet, I might be more inclined to take your opinions more seriously.Go away, little boy.OK, lets find out what you think "hardening" means, Softus.
I think you've hit the nail on the head there and that's where my conversation with him on this matter will end. He obviously has no experience of the IT security industry, this is blatantly clear from his statements and the terminology he uses. I will not waste anymore of my time educating him any further.Though, if you gave some information as to your professional knowledge on the subject, as compared with what you have just picked up by trawling the internet