Submit Hint Search The Forums LinksStatsPollsHeadlinesRSS
14,000 hints and counting!

Click here to return to the 'Block incoming pings while allowing outgoing pings' hint
The following comments are owned by whoever posted them. This site is not responsible for what they say.
Block incoming pings while allowing outgoing pings
Authored by: DirrtyDawg on Sep 04, '03 06:49:41PM

The only ICMP types that should be allowed from the Internet are 0 3 11 which are echo reply, destination unreachable and time exceeded. I don't see any reason for anyone pinging me since I don't provide any services to the world. Allowing type 8 which is echo request CAN be a security hole, but needn't. I'm a Mac newbie so forgive me about my stupidity. I come from the Linux world and my stateful firewall can also limit access to a certain number/minute or hour or what ever you prefer. This would minimize the problem of getting pod or something. I believe ipfw is a good packet level firewall which can also do such things.

To explain the stateful thing: tcp packets contain a state which indicates what the data wants to do. For example if it is related to another packet sent earlier then it would have a related state. Since icmp is a different layer 4 protocol it doesn't have states in it. If you send a echo request you get a echo reply which doesn't have any flags like syn or ack. ICMP is actually just for testing connections so it doesn't need all the stuff.

If someone wants to get a small introduction into firewalling theory just write an email.

[ Reply to This | # ]