Hi Dag, I find myself pressed to rant a bit on the myths you spread because I come across such arguments all too often, and they are, umm, unfounded.
On Sun, 17.12.2006 at 20:03:08 -0800, Dag Richards <[EMAIL PROTECTED]> wrote: > Tools can be written to use icmp as a transport, obviously anything can > be used as a transport which is why we only allow traffic inbound to > servers with services running we want public. Yes, you can use anything as a transport, probably even pidgeon carriers, but you need a receiving end to effect anything. So, unless you fear that someone is able to install a trojan on your OpenBSD server by sending it ICMP packets encapsulating something in their payload that results in a program (so far already requiring a big remote-root hole in the kernel) and also have it run with root privileges, probably by expoiting some other unknown hole in OpenBSD, then switching off ICMP is a good precaution. In all other cases, I think that it's quite stupid. I trust OpenBSD to not have such holes... > Why should I allow someone to ping my dns server? Marco explained it already. I can only agree. Switching off ICMP is a measure taken by rogue and/or stupid users who don't care if the 'Net works or not. At least, they really don't want any help they might otherwise be offered in case of a problem on their side. It is named "Internet Control Message Protocol" and not "Internet Useless Junk Protocol" for a reason. > If you need to see if the server is up telnet to port 53, a traceroute > will die at the hop above the firewall, If I get no response from your port 53, I still don't know if * your line is down, * your host is down, or * your name service is down. Similar arguments go for problems due to packet loss or routing (ping and tracepath give me those) which help me assessing a problem and maybe helping out with advice. > I know which ip that is. I don't care/need others to do so. In case I should want to query your DNS service, I'll need to know the IP of your host, too, otherwise I can't query it. If you offer something useful (eg. DNS for a domain someone should want to send mail to), you can't make that IP a secret unless you don't want people using that domain. There's no security by obscurity, and hiding the IP from "clueless users" (everyone else gets it anyway) is no substitute for security-in-depth. So, please be a good netizen and switch ICMP back on, and secure your services. Thank you for listening! Best, --Toni++
