|
T0aD
Stranger
Registered: 06/18/02
Posts: 4,475
Last seen: 15 years, 17 days
|
ICMP blocked by admin - Is there a way I can still use it?
#2313713 - 02/08/04 05:03 AM (20 years, 1 month ago) |
|
|
As I said, ICMP is obviousy filtered, as I cant ping/traceroute any host outside our wireless lan. Do you guys know any way I can still use icmp? Peace
-------------------- Cuba Libre
|
MetaShroom
菌类人
Registered: 06/02/02
Posts: 1,462
Loc: East Anglia UK
Last seen: 16 years, 9 months
|
Re: ICMP blocked by admin - Is there a way I can still use it? [Re: T0aD]
#2313729 - 02/08/04 05:25 AM (20 years, 1 month ago) |
|
|
You can get this website to do tracert and stuff for you, but obviously it's from the website, not your machine.
-------------------- JOIN MAPS -> www.MAPS.ORG
|
riffic
Registered: 09/12/02
Posts: 99
Last seen: 10 years, 20 days
|
Re: ICMP blocked by admin - Is there a way I can still use i [Re: T0aD]
#2314821 - 02/08/04 03:15 PM (20 years, 1 month ago) |
|
|
i dont understand why an admin would block outgoing ICMP.. it really doesn't pose a security risk as far as I know.. silly admins
|
biglo
Shroomery BabySitter
Registered: 11/22/02
Posts: 603
Loc: US of A
Last seen: 8 years, 7 months
|
Re: ICMP blocked by admin - Is there a way I can still use i [Re: riffic]
#2315325 - 02/08/04 07:07 PM (20 years, 1 month ago) |
|
|
"i dont understand why an admin would block outgoing ICMP.. it really doesn't pose a security risk as far as I know.. silly admins"
It's not stupid, it's probably to block outgoing Denial of Service Attacks that flood their network from home users that get infected with a virus and don't know it or know that they're clogging up bandwidth from it.
|
riffic
Registered: 09/12/02
Posts: 99
Last seen: 10 years, 20 days
|
Re: ICMP blocked by admin - Is there a way I can still use i [Re: biglo]
#2316472 - 02/09/04 12:22 AM (20 years, 1 month ago) |
|
|
Quote:
biglo said: "i dont understand why an admin would block outgoing ICMP.. it really doesn't pose a security risk as far as I know.. silly admins"
It's not stupid, it's probably to block outgoing Denial of Service Attacks that flood their network from home users that get infected with a virus and don't know it or know that they're clogging up bandwidth from it.
outgoing != incoming...
you'd want to block incoming icmp if you want to avoid ping flood attacks...
outgoing ICMP is a valuable diagnostic tool and blocking it is pointless.
|
Seuss
Error: divide byzero
Registered: 04/27/01
Posts: 23,480
Loc: Caribbean
Last seen: 1 month, 19 days
|
Re: ICMP blocked by admin - Is there a way I can still use i [Re: riffic]
#2316792 - 02/09/04 04:13 AM (20 years, 1 month ago) |
|
|
> outgoing ICMP is a valuable diagnostic tool and blocking it is pointless.
If I have infected users in my LAN, then by blocking outgoing ICMP I limit the damage my users are doing to others. Not pointless. Any good firewall configuration should block all outgoing ICMP that doesn't originate from the firewall proxy.
Here is an extreme example... I am a 'spy' behind a firewall and I want to sneak out secret data. I can format a ping ICMP packet with valid "secret data" and ping a machine outside the firewall. The machine outside replies back, with commands in it's data section. By writing two special "ping servers", one inside and one outside of the firewall, I can initiate data transfer over ICMP using ping.
-------------------- Just another spore in the wind.
|
riffic
Registered: 09/12/02
Posts: 99
Last seen: 10 years, 20 days
|
Re: ICMP blocked by admin - Is there a way I can still use i [Re: Seuss]
#2316833 - 02/09/04 05:00 AM (20 years, 1 month ago) |
|
|
you're overly paranoid, and you should yank the network cords from the users on your lan with infected hosts =) you might want to allow some icmp packets through, namely type 3 error messages.. other applications rely on receiving error messages http://tech.oneeyedcrow.net/icmp-filtering.html has a decent write-up.
|
Seuss
Error: divide byzero
Registered: 04/27/01
Posts: 23,480
Loc: Caribbean
Last seen: 1 month, 19 days
|
Re: ICMP blocked by admin - Is there a way I can still use i [Re: riffic]
#2316853 - 02/09/04 05:12 AM (20 years, 1 month ago) |
|
|
> you're overly paranoid
Comes from my training and background.
-------------------- Just another spore in the wind.
|
T0aD
Stranger
Registered: 06/18/02
Posts: 4,475
Last seen: 15 years, 17 days
|
Re: ICMP blocked by admin - Is there a way I can still use i [Re: Seuss]
#2316870 - 02/09/04 05:24 AM (20 years, 1 month ago) |
|
|
anyone has solution for me ?
-------------------- Cuba Libre
|
Seuss
Error: divide byzero
Registered: 04/27/01
Posts: 23,480
Loc: Caribbean
Last seen: 1 month, 19 days
|
Re: ICMP blocked by admin - Is there a way I can still use i [Re: T0aD]
#2318181 - 02/09/04 02:28 PM (20 years, 1 month ago) |
|
|
> Do you guys know any way I can still use icmp?
Nope, not easily.... make friends with the network admins... (I think I mentioned that before.)
-------------------- Just another spore in the wind.
|
biglo
Shroomery BabySitter
Registered: 11/22/02
Posts: 603
Loc: US of A
Last seen: 8 years, 7 months
|
Re: ICMP blocked by admin - Is there a way I can still use i [Re: Seuss]
#2336444 - 02/15/04 02:45 AM (20 years, 1 month ago) |
|
|
> outgoing ICMP is a valuable diagnostic tool and blocking it is pointless.
If I have infected users in my LAN, then by blocking outgoing ICMP I limit the damage my users are doing to others. Not pointless. Any good firewall configuration should block all outgoing ICMP that doesn't originate from the firewall proxy.
Yeah, that's what I meant. It limits the damage you can do to other people/websites from your computer if your computer becomes infected and is clogging up outgoing bandwidth on the network.
|
MetaShroom
菌类人
Registered: 06/02/02
Posts: 1,462
Loc: East Anglia UK
Last seen: 16 years, 9 months
|
Re: ICMP blocked by admin - Is there a way I can still use i [Re: biglo]
#2336558 - 02/15/04 04:10 AM (20 years, 1 month ago) |
|
|
I had a virus on my network once that was sending vast amounts of ICMP traffic outwards. We actually thought at first that some dodgy hardware was to blame, so it can have a serious effect on your own network, regardless of causing problems for other people.
-------------------- JOIN MAPS -> www.MAPS.ORG
|
riffic
Registered: 09/12/02
Posts: 99
Last seen: 10 years, 20 days
|
Re: ICMP blocked by admin - Is there a way I can still use i [Re: biglo]
#2337166 - 02/15/04 11:57 AM (20 years, 1 month ago) |
|
|
-edit-
Edited by riffic (03/11/14 12:17 AM)
|
MetaShroom
菌类人
Registered: 06/02/02
Posts: 1,462
Loc: East Anglia UK
Last seen: 16 years, 9 months
|
Re: ICMP blocked by admin - Is there a way I can still use i [Re: riffic]
#2337398 - 02/15/04 12:57 PM (20 years, 1 month ago) |
|
|
this is about network admins blocking outgoing ICMP, so that if a user does become infected, it won't cause problems for the whole network
-------------------- JOIN MAPS -> www.MAPS.ORG
|
mntlfngrs
The Art of Casterbation
Registered: 07/18/02
Posts: 3,937
Last seen: 5 years, 6 months
|
Re: ICMP blocked by admin - Is there a way I can still use i [Re: Seuss]
#2364166 - 02/21/04 02:45 PM (20 years, 1 month ago) |
|
|
I would apply access lists to the routers with exceptions for management stations By blocking all ICMP at the firewall it limits managements ability to troubleshoot in the DMZ.
-------------------- Be all and you'll be to end all
|
|