Caffeinated-Geek.com

Fun with ICMP: filter echo, but send an unreach

March 31st, 2008

Comments Off

Why do people completely filter ICMP echo? I have no problem with folks re-prioritizing or rate-limiting it, but outright filtering a VERY useful diagnostic tool for network guys like myself is really annoying.

Anyway, if you do decide to filter ICMP echo packets, please be sure you don’t send an ICMP unreachable from the device that’s filtered:

kgasso@wibbly:~$ ping -c 1 66.131.100.81
PING 66.131.100.81 (66.131.100.81) 56(84) bytes of data.

From 66.131.100.81 icmp_seq=1 Packet filtered

--- 66.131.100.81 ping statistics ---
1 packets transmitted, 0 received, +1 errors, 100% packet loss, time 0ms

So, the host I pinged – to test reachability – sent me a response saying that I’m not allowed to do that, confirming what I wanted to know in the first place, that the host was reachable. Uh, yeah… You kinda blew your cover there, buddy.

On second thought, I like this strategy. I’m going to start answering my doorbell by audibly saying “nobody’s home”.

Complaints, Network Admin, Security firewall

Twitter Feed

Okay, who shrank my cat? http://twitpic.com/2l8w7n [view] 5 hours ago
@JRThoms why don't you come back to my place and fiddle with my jumpers, see if you can reset a few things... er, wait. [view] 17 hours ago
@JRThoms sadly,the routers were perfectly functional, just no console - and the first one, the guy forgot the password, so no telnet access. [view] 18 hours ago
@JRThoms came up with that one after someone smoked 2 console ports in a row trying to "troubleshoot". now do it on all offsite gear. :) [view] 18 hours ago
one of my favorite "hacks" for remote CPEs to avoid the "I just fried your console port with Ethernet" prob: http://twitpic.com/2kyhzr [view] 23 hours ago

Archive

Fun with ICMP: filter echo, but send an unreach

Twitter Feed

Categories

Archives

Meta