Re: Removing ping/icmp from a network

["Mark Owen" <mr.markowen () gmail com>]

On Thu, Mar 27, 2008 at 12:25 PM, Jason <securitux () gmail com> wrote:
*snip*
>  The idea is to limit your Internet footprint to make it as difficult
>  as possible for an attacker. There is no need for a web server to
>  respond to ping from the Internet for example.

It is very critical that your web server responds to ICMP on the
Internet.  If you go out of the way and ignore essential protocols for
IP over a public network, you're just going to create a headache for
all of us.

Without ICMP, it is very difficult for us to determine where a problem
exists when our clients complain about slow load times or
inaccessibility to your website.  No ICMP means no basic trace
routing, no basic latency checks, and no basic error reporting.  So
even if the problem is somewhere in our infrastructure that limits or
prevents access to your site, you're going to get the blame and bad
reputation of an unstable server.  If it doesn't respond to ping, and
can't be traced, its not our fault that our client can't access your
site, it's yours.

-- 
Mark Owen