Security through obscurity isn't security. Even this approach is popular on some places. I don't thing there isn't valid *security* reason to fully block ICMP echo requests on NCC firewalls. This just makes diagnostics of network/connectivity incidents harder (and more unfriendly). In the fact, requests are processed and ICMP responses are sent by firewalls anyway (admin prohibited / packet filtered). - Daniel On 5/5/21 12:52 PM, Kurt Kayser wrote:
Gert,
you surely know that every enabled protocol/port is a potential threat.
.kurt
Am 05.05.21 um 12:32 schrieb Gert Doering:
Hi,
On Wed, May 05, 2021 at 12:30:01PM +0200, Kurt Kayser wrote:
I understand your point. But there is really no big effort to check if Port 873 is working:
<host>nc -zvw100 rpki.ripe.net 873 Connection to rpki.ripe.net 873 port [tcp/rsync] succeeded!
Let's make a security comparison, if this is really a necessary feature? So where exactly is the *security* drawback of permitting ICMP echo?
But yes, of course, we can all do tcpping instead - which is much more likely to have an adverse effect on the actual service...
Gert Doering -- NetMaster