[olug] help with iptables firewall

[Dave Hull]

Recommended by SANS for one. Have a look at the Firewall Checklist pdf
here http://www.sans.org/score/checklists/FirewallChecklist.pdf. It's
item number 15.

A little searching and shows the recommendation repeated frequently
with caveats of course. There are lots of networks out there that deny
ICMP echo requests these days. NMAP even includes an option to skip
pinging hosts when port scanning because so many networks don't allow
ICMP echo.

I don't think anyone who makes this recommendation is doing so because
Ping is insecure, but rather it allows an attacker to learning things
about the network that you may not want them to know, like that
there's a given host at a given IP address.

For a publicly accessible resource in a DMZ like a web, smtp or ftp
server, blocking ICMP echo requests and responses doesn't make sense,
but do you want your firewall to allow anyone on the planet to ping
hosts behind the firewall?

-- 
Dave Hull