> servers with services running we want public. Why should I allow > someone to ping my dns server?
If I'm having problems resolving a host address that is supposed to be handled by your server one of the first things I'll do is see if I have general connectivity to your server. I'll ping it. If there is no answer I'll most likely assume transient net errors and put the problem off until later. So what, you say. Well, if there are real DNS problems you won't be notified. Maybe you don't care. > If you need to see if the server is up telnet to port 53, a traceroute > will die at the hop above the firewall, I know which ip that is. I don't > care/need others to do so. If I can't ping I'll assume I can't telnet. A traceroute will confirn "net connectivity" issues. Eventually, assuming I need your DNS server to work correctly, I'll attempt to get in touch. >From my perspective the only thing your blocking ICMP has done is delay third party notification of DNS issues. To me (and I'll be the first to admit that this is nothing but opinion and I won't pretend that my opinion is any better than yours) I see more harm than good in blocking icmp. I like it when other people tell me I've screwed something up because I can find it and fix it faster. As for the person who wants to dispable ipv6... I think henning@ had the best solution: use pf. A rule such as block ipv6 drop quick all at the top of your ruleset should do the trick. // marc