FAQ Search Today's Posts Mark Forums Read
» Video Reviews

» Linux Archive

Linux-archive is a website aiming to archive linux email lists and to make them easily accessible for linux users/developers.


» Sponsor

» Partners

» Sponsor

Go Back   Linux Archive > CentOS > CentOS

 
 
LinkBack Thread Tools
 
Old 01-23-2009, 11:53 PM
Bill Campbell
 
Default Ping and traceroute...

On Fri, Jan 23, 2009, Lanny Marcus wrote:
>On Fri, Jan 23, 2009 at 12:16 PM, John Doe <jdmls@yahoo.com> wrote:
>> Right now, we are blocking pings and traceroutes to our website.
>> But, in order for our members to test the connection when they are experiencing slow browsing, we are thinking about unblocking them...
>> Are there still any security issues (flooding, etc...) in enabling them or is that an old problem fixed a long time ago?
>
>Our two web sites do permit ping. I like to ping them from time to
>time, for various reasons. Both have dedicated IP addresses. The one
>time one of our sites was attacked, years ago, was someone connecting
>to the POP3 server every second. Nothing to do with ping or
>traceroutes.

We generally allow ping at the sites we support, but don't rely
on pings to test for systems being alive.

We test system status by doing an xmlrpc call to their web server
which should return some useful information in addition to making
sure that the system is actually responding to something useful
(NICs may return pings even if the underlying system is hung).

Many of our customer's roaming users connect with their home
system using OpenVPN, thus being able to access their systems
where they might otherwise be blocked.

Bill
--
INTERNET: bill@celestial.com Bill Campbell; Celestial Software LLC
URL: http://www.celestial.com/ PO Box 820; 6641 E. Mercer Way
Voice: (206) 236-1676 Mercer Island, WA 98040-0820
Fax: (206) 232-9186

You know the one thing that's wrong with this country? Everyone gets a
chance to have their fair say. -- Bill Clinton, May 29, 1993, The White House
_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos
 
Old 01-24-2009, 02:56 PM
Lanny Marcus
 
Default Ping and traceroute...

On Fri, Jan 23, 2009 at 7:53 PM, Bill Campbell <centos@celestial.com> wrote:
> On Fri, Jan 23, 2009, Lanny Marcus wrote:
>>On Fri, Jan 23, 2009 at 12:16 PM, John Doe <jdmls@yahoo.com> wrote:
>>> Right now, we are blocking pings and traceroutes to our website.
>>> But, in order for our members to test the connection when they are experiencing slow browsing, we are thinking about unblocking them...
>>> Are there still any security issues (flooding, etc...) in enabling them or is that an old problem fixed a long time ago?
<snip>
> We generally allow ping at the sites we support, but don't rely
> on pings to test for systems being alive.
>
> We test system status by doing an xmlrpc call to their web server
> which should return some useful information in addition to making
> sure that the system is actually responding to something useful
> (NICs may return pings even if the underlying system is hung).
<snip>
Bill: For xmlpc to work, what do I need to install on my Desktop? Does
something need to be installed on the web server also? TIA, ,Lanny
_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos
 
Old 01-26-2009, 09:20 AM
John Doe
 
Default Ping and traceroute...

> However do you have the luxury of having your members coming from a block of IPs

World wide website... so it is either everything or nothing...



> Blocking ping has always been a pet peeve of mine. Aside from violating RFC-1122
> (3.2.2.6 Echo Request/Reply: RFC-792 Every host MUST implement an ICMP Echo
> server function that receives Echo Requests and sends corresponding Echo
> Replies.)
>
> It provides *no* additional security & makes troubleshooting network issues that
> much more difficult.

So I guess I will look into adding these rules into shorewall.

Thx for all the answers,
JD




_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos
 

Thread Tools




All times are GMT. The time now is 01:28 PM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.
Copyright 2007 - 2008, www.linux-archive.org