Discussion in 'Networking, Telephony & Internet' started by foxmulder881, Jun 30, 2012.
I'm curious as to how a server can stop another system pinging it.
But I thought you'd still be able to ping a certain IP address? Am I wrong? Especially if I can see that it is there.
If the device refuses to respond to an ICMP ping request, then it'll timeout each request.
Yes, you're wrong.
Configure the firewall to block ICMP traffic (ICMP, not IGMP as stated above) either incoming if you want to stop the server responding to pings, or outgoing if you want people not to be able to ping other devices from it.
Thanks, that's exactly what I was wondering. Thanks again.
If you typed your question into google, 3 of the first 5 links would have answered it.
Gonna delete this response too Gords? Better to teach someone to fish that to provide them fish.
Yep, and better to be polite to someone than nasty. If you can't do it, don't post. And don't get your hair in a knot when someone calls you out on your incessant rudeness toward other members.
epic burn is epic
i think the OP could of easily googled this but its good to see some educated ocau's jumped in fairly quickly.
ocau - The Organic Google
I'd rather a quieter forum full of quality threads than an active forum full of basic questions, easily answered by google or calling/emailing/contacting the provider of the service.
Or if OP thinks (ho ho ho) it's an elementary question, it goes in Newbie Forum.
Or a mod could just move them up there anyway.
It removes any possibility someone might post a legitimate question if they see the forum full of basic questions, followed by the array of answers from all sorts that post around here. It just lowers the average, and it's not good for the forum, IMO.
The fact of the matter is that there are rules about being polite to other members, but there (generally) aren't rules about what threads can be created and what threads can't be. If you'd like to propose such an idea, the Site Discussion forum is here. Make sure you have a framework in place when someone asks the inevitable question relating to how much research is required before someone can start a thread on a topic.
BTW, the rule about pointless posts is not about this topic. I know, I wrote them. If you disagree, read them again.
Me enforcing the existing published rules and not rules that are made up by you and exist only in your head is not daft, in my opinion. You obviously think differently.
I note that neither you, nor any of the posters whose unnecessary messages I deleted bothered to report the thread to have it moved to the Newbie Lounge. Nice work. Obviously the way to make OCAU better is to have people post nasty, impolite messages, have admins delete them because they're against the forum rules, then have the posters of said messages whinge and whine about their messages being deleted and then suggest something constructive.
Wrong again. That rule was put in place because people were flaming in the Newbie Lounge. It doesn't mean that 'anything goes' in the rest of the forums. Here's an analogy: If your local council puts up "No dumping" signs at sites that typically attract illegal dumping, does it imply that anywhere there is not a "No dumping" sign, you're allowed to dump whatever you like there? (The answer is 'No'.)
To avoid you assuming the wrong thing in future, I'll set it out plainly for your benefit and the benefit of others that are in your camp.
Why your posts are deleted:
Your nasty, arrogant, impolite, mocking, holier-than-thou posts are deleted because they come across as nasty, arrogant, impolite, mocking and holier-than-thou.
Post polite answers to questions.
Don't post at all. Better yet, don't even look at threads that are beneath you.
Whinge that this place is going down the drain while choosing to do absolutely nothing constructive of your own accord, eventually culminating in you posting in this thread, and thus reinforcing a somewhat accurate stereotype about elitist IT "professionals" who continually choose to behave in an unprofessional manner.
I hope I've covered everything. Feel free to post in the Site Discussion forum if you think you've been hard done by, and I (or others) will try to explain it again. However, this thread isn't the place to continue discussion about your behaviour, so any further posts on that topic will be deleted.
You want "drop", not "reject".
"Reject" sends back a "host unreachable" statement, which ironically by default is ICMP. "Drop" simply drops the packet and does nothing further. Anything Internet-facing should use "drop", as it's easier to hide, and less likely to be abused in a DoS style attack.
It also better if you choose specific forms of ICMP to drop, wholesale dropping of "ICMP" causes transmission issues where fragmented packets are involved, because it uses ICMP to communicate information about mtu along the path, specifically you want to pass icmp type 3.
On a controlled or shared services network, I'd agree. If it's Internet-facing, I just drop the lot and be done with it.
It's probably less needed on a controlled network that on the internet interface.
When you block type 3 ICMP you're breaking this: Path MTU Discovery - Wikipedia, the free encyclopedia.
95% of the time PMTUD is irrelevent, but if you connect to a remote host that's using for example a satellite connection or is using IPsec over a connection that uses PPPoE/A. (8 bits of PPP encap, and at least 96 bits of ESP header), using your network that drops all icmp, packets will go out, hit the target host, the target host sends back ICMP type 3 code 4 (Needs Fragmentation, Don't Fragment bit set), your host drops it and the client making the connection assumes a time out and gives up, but this will only happen for some packets, so some things will work some wont to the same host.
But it's your network, and i'm sure we all do things that others would think not best practise.
I had all sorts of dramas with PMTU just last week, in fact. I found setting a sensible MSS (MTU of the link minus 20*2) completely negated the need to deal with PMTU at all, and helped me fix a site that wanted to run jumbo frames on two sides of a WAN, but still have users mount shares (NFS and CIFS) across that same WAN.
But that's by the by.
To be honest its not really worth blocking.
Anyone that has a malicious intend doesn't care whether you allow or block icmp
It's not like some old school routers that you could crash with excessive amounts of icmp hitting the cpu could crash them.
Ping (icmp echo request and reply) and traceroutes (icmp ttl exceeded) are both very useful in troubleshooting problems.
Blocking/dropping/rejecting ICMP is a pain in the ass. It's a useful protocol and necessary when trying to find problems.
+1 to this.
The Networking, Telephony & Internet forum on OCAU is barely needed. It has very very few relevant posts.
As much as I hate to say it, whirlpool is a better place for network discussion than this forum.
Threads like this one only contribute to the problem.