Hello All:
I know from experience that many ISP ( Actually the owners of the backbone)
do not shutdown the ping option, but setup the routers in the cloud to give
a very low priority to ICMP packets. A ping is an ICMP packet. What this
means
to you, is during times of high usage, the priority traffic will flow first
and the less important traffic will be delayed (buffered)or even discarded.
Corperately speaking, you, as a normal "residential customer" do not need to
be
concerned with doing network trouble shooting ( ie. ping and trace
commands).
Business accounts however are a whole different matter.
With the heavy usage of certificates in Authentication, It is more rare to
have
ICMP exchange "turned down". This is because many companies use Digital
cert.s
for Authentication. This sometimes requires that the authenticatee be able
to
ping the server that is being used as the CA "Certificate Authority". In
this usage,
The CA holds database that is the Revocation list. Too low a priority on
ICMP
packets would cause Authentication timeouts, consquently failed dial/access
attempts.
This can also be the case when the Corperate accounts have a number of
Access Servers
and the Dial software checks each in sequence to be sure there is something
there to
authenticate to. The first one that responds to the ping wins.
-----Original Message-----
From: slug@lists.nks.net [mailto:slug@lists.nks.net]On Behalf Of Paul M
Foster
Sent: Sunday, February 03, 2002 5:45 PM
To: SLUG List
Subject: Re: [SLUG] Pings etc.
On Tue, Jan 29, 2002 at 11:32:07AM -0500, Russ Herrold wrote:
> On Mon, 28 Jan 2002, Paul M Foster wrote:
>
> > >From any machine on the network (and the firewall), I can ping
> > www.suncoastlug.org. I cannot, however, ping www.quillandmouse.com. Now,
> > I can traceroute or traceroute -I it. I can access the website(s). I can
> > run host against them both.
>
> I drop ICMP at the borders of some ISP's I admin for non-local
> non-next-hop traffic, due to Smurf attacks ... This would
> cause that symptom.
>
I believe Kai and you are correct. I think my ISP simply doesn't allow
pings. Otherwise, I've seen no difficulty with any internet activities
I've tried through coyote. (And no, I wrote my coyote firewall's rules--
they don't block ICMPs.)
And for those of you who've asked about single-disk firewalls in the
past, here's a plug for coyote. I was using floppyfw, but there are a
couple of drawbacks. First, it requires manual configuration of various
files, in a way that's not necessarily obvious. Second, the author
appears to have no interest in including the ability to ssh into the
firewall box. One of the reasons I looked into coyote was that it would
allow me to make the firewall "headless"; that is, without a monitor,
but allowing the ability to ssh into it to do maintenance, etc.
A bigger plug for coyote is that it takes you through a series of
questions and answers to set up the box. Then it builds the floppy for
you. No muss, no fuss. Once booted, you can modify the firewall rules
and various other things, and it will save that configuration back to
your floppy.
Highly recommended. Particularly for unsophisticated users.
Paul
This archive was generated by hypermail 2.1.3 : Fri Aug 01 2014 - 20:41:38 EDT