Stop blocking ping already!

[jon787.livejournal.com]

I don't care that you just read a column by *insert techno weenie* saying otherwise, ICMP Echo Request packets are not a security risk. Especially on the fscking LAN! Firewalling off ping only serves to annoy your sysadmin when he needs to do a quick check of network connectivity.

# ping 192.168.0.7
PING 192.168.0.7 (192.168.0.7) 56(84) bytes of data.

--- 192.168.0.7 ping statistics ---
3 packets transmitted, 0 received, 100% packet loss, time 2008ms

Its not that we don't have tools to do it anyway, its just that they only work from another machine on your subnet:

# arping 192.168.0.7
ARPING 192.168.0.7 from 192.168.0.35 eth0
Unicast reply from 192.168.0.7 [00:20:E0:6B:9C:F7]  0.745ms
Unicast reply from 192.168.0.7 [00:20:E0:6B:9C:F7]  0.751ms
Unicast reply from 192.168.0.7 [00:20:E0:6B:9C:F7]  0.738ms
Sent 3 probes (1 broadcast(s))
Received 3 response(s)

On a side note, try arping 192.168.0.1 or other common router IP from the box hooked up to your cable/dsl modem sometime, its fun :)

Comments

[adamjaskie.livejournal.com]

# arping 192.168.0.1
ARPING 192.168.0.1 from 68.40.206.72 eth0
Sent 10 probes (10 broadcast(s))
Received 0 response(s)

[jon787.livejournal.com]

Hmm, it worked on resnet :)
Maybe the cable infra is different in a way that keeps it from working.

You f00!

[ravenshrinkery.livejournal.com]

Did you miss the memo that said an open internet connection in the hands of an id10t is always a security risk? They should be blocking all of his ports! The sooner you block port 80 on his machine the more actual work he'll probably get done anyway.

What's that you say, he needs web access to do his job? I rest my case. :)

[ihateemo.livejournal.com]

I'm sympathetic to denying ICMP requests for external boxen that you don't want people fucking with - but on the LAN? Sheesh. That would be very annoying.