Security through obscurity isn't security. Even this approach is popular
on some places.
I don't thing there isn't valid *security* reason to fully block ICMP
echo requests on NCC firewalls. This just makes diagnostics of
network/connectivity incidents harder (and more unfriendly). In the
fact, requests are processed and ICMP responses are sent by firewalls
anyway (admin prohibited / packet filtered).
- Daniel
On 5/5/21 12:52 PM, Kurt Kayser wrote:
Gert,
you surely know that every enabled protocol/port is a potential threat.
.kurt
Am 05.05.21 um 12:32 schrieb Gert Doering:
Hi,
On Wed, May 05, 2021 at 12:30:01PM +0200, Kurt Kayser wrote:
I understand your point. But there is really no big effort to check if
Port 873 is working:
<host>nc -zvw100 rpki.ripe.net 873
Connection to rpki.ripe.net 873 port [tcp/rsync] succeeded!
Let's make a security comparison, if this is really a necessary feature?
So where exactly is the *security* drawback of permitting ICMP echo?
But yes, of course, we can all do tcpping instead - which is much
more likely to have an adverse effect on the actual service...
Gert Doering
-- NetMaster
