Question and 'ping'.

[nahpets]

My university recently started blocking ALL outgoing and incoming pings. I noticed this because 'netselect' doesn't work anymore. I sent an email to admin to ask about it, and they replied with this:

From what I understand to open outgoing ping we also need to allow
incoming ping (for the reply). Therefore, for security reasons, ping is
restricted to only certain subnets.

My firewall (shorewall) ignores all incoming ping traffic but I'm still able to properly send out pings. My initial reaction is that you should be able to block incoming pings while still allowing outgoing pings... Is there a sysadmin here who can confirm or refute the statement above?

[syscrash]

I believe your firewall is receiving pings, it is just not replying to them (they are ignored.)

[nahpets]

The firewall on my box ignores all pings, that's true. The problem is that the network admins have blocked all outgoing and incoming ping traffic for security reasons. My question is do they really need to block outgoing pings as well as incoming ping traffic? Can't they simply block incoming ping sweeps?

[think4urs11]

Mhh well yes ... theoretically it is possible to misuse icmp to tunnel traffic through a firewall which does not block it; on the other hand this is true for every single protocol and/or port which is allowed for going out (and letting back in the answer packets).

Either your sysadmin had a bad day or no idea at all. Depends to some extend to the exact network setup you have.
Normally they don't need to allow 'outside->inside icmp' in general but _only_ the answers for the ping _you_ send out before.
(this is whats called stateful - the term isn't normally used for icmp though; in iptables-speak this is related traffic)

Connection tracking refers to the ability to maintain state information about a connection in memory tables, such as source and destination ip address and port number pairs (known as socket pairs), protocol types, connection state and timeouts. Firewalls that do this are known as stateful.

A setup like you describe here though (in->out icmp allowed + _all_ out->in icmp dropped) makes no sense at all. Why allow to send data outwards but deny the reception of answers for this data?

[nahpets]

A setup like you describe here though (in->out icmp allowed + _all_ out->in icmp dropped) makes no sense at all. Why allow to send data outwards but deny the reception of answers for this data?

The reason why the sysadmins are stopping out->in ping traffic is because the university network is to stop ping sweeps etc. So in order to accomplish this, they've blocked ALL ping traffic, ie. out->in, in->out. I can't even ping yahoo...

What I'd like to know from someone who has experience in these matters is if there's really no way to enable the following:

• I can ping yahoo from inside the network.
• Yahoo can't ping me.

[James Wells]

Greetings,

What I'd like to know from someone who has experience in these matters is if there's really no way to enable the following:

• I can ping yahoo from inside the network.
• Yahoo can't ping me.

You might want to check out hping and traceroute-ng. Hping will allow you to use port specific, non-ICMP pings. Traceroute-ng will allow you to use port specific, non-ICMP traces. For example hping -p http www.yahoo.com.

[think4urs11]

What I'd like to know from someone who has experience in these matters is if there's really no way to enable the following:

• I can ping yahoo from inside the network.
• Yahoo can't ping me.

Normally they don't need to allow 'outside->inside icmp' in general but _only_ the answers for the ping _you_ send out before.
(this is whats called stateful - the term isn't normally used for icmp though; in iptables-speak this is related traffic)

In other words - yes, possible with ease; with nearly every firewall besides 'historic' ones.
(to be precise, easily possible with every firewall software which works stateful; somewhat tricky at best if they use a plain/dumb packet filter)

[nahpets]

Ok... thanks for clearing that up. I wanted to be sure that if can be easily accomplished before I bring that up to the sysadmins.

[syscrash]

Ok... thanks for clearing that up. I wanted to be sure that if can be easily accomplished before I bring that up to the sysadmins.

I see your location says Montreal.. which university are you talking about so that I can perhaps decide not to go there?

[expat_iain]

There are different ICMP types. The key type you are looking at here are ICMP_ECHO_REQUEST and ICMP_ECHO_REPLY. If I have understood correctly, then the sysadmin should do the following:

Inside->Outside:
Allow ICMP_ANY

Outside->Inside
Allow ICMP_ECHO_REPLY
Block ICMP_ANY

Regs.

Iain.

[nahpets]

Ok... thanks for clearing that up. I wanted to be sure that if can be easily accomplished before I bring that up to the sysadmins.

I see your location says Montreal.. which university are you talking about so that I can perhaps decide not to go there?

To be fair, I don't think that the reputation of the entire university should be degraded because of something as trivial as blocking pings. Remember that a university comprises of many faculties, departments and employees. Stuff like this happens all the time in any large bureaucracy

expat_iain: Thanks for the tip... I'll forward the info to the admins and see what happens.

[syscrash]

Ok... thanks for clearing that up. I wanted to be sure that if can be easily accomplished before I bring that up to the sysadmins.

I see your location says Montreal.. which university are you talking about so that I can perhaps decide not to go there?

To be fair, I don't think that the reputation of the entire university should be degraded because of something as trivial as blocking pings. Remember that a university comprises of many faculties, departments and employees. Stuff like this happens all the time in any large bureaucracy

I know, hence the

[nahpets]

hah... true. I didn't notice the smiley the frist time I read your post.