Topic: How to block ping response on SME6?

[netdesignns]

How does one block or disable the ping response on SME6.
Have searched the site but it does not appear to feature?

[CharlieBrady]

How does one block or disable the ping response on SME6.

Why do you want to block ping response?

Have searched the site but it does not appear to feature?

Are you telling me that or asking a question?

"server-gateway private" mode blocks ping response from the Internet but allows it from the LAN.

[netdesignns]

The server operates as a public gateway with a number of virtual domains. We are continually flooded with unwanted traffic much is email which is handled but the logs indicate that there are many other attempted connections that are denied. To block public ping response takes away one way of advertising the IP from the nuisance traffic. We had to do this with an SME 5.6 a couple of years ago with a succesful outcome with traffic falling off. We want to do this with this server as well.

[CharlieBrady]

The server operates as a public gateway with a number of virtual domains. We are continually flooded with unwanted traffic much is email which is handled but the logs indicate that there are many other attempted connections that are denied.

They will continue whether you block ping response or not.

[netdesignns]

The inward pings might continue but at least the server won't advertise its presence so readily.

[CharlieBrady]

The inward pings might continue but at least the server won't advertise its presence so readily.

It's a web server. It can't hide its presence.

[Ness]

But surely, if a server, web or otherwise, doesn't respond to pings on its WAN, over time, those who ping it will go elsewhere for this, improving response times over time? Optimistic maybe, but I think its a reasonable request.

Ok, there are engines out there that just ping for the nuisance factor and blocking wont stop them doiong it, but isnt stopping any at all better than stopping none?

Would the answer be to filter these out at the router level?

In the UK, BT and many others reject pings - why shouldn't a SME Server be set to do the same?

Chris

[gordonr]

In the UK, BT and many others reject pings - why shouldn't a SME Server be set to do the same?

Blocking ICMP ECHO disables the first "Is the server working?" test network admins use. It can also wreak havoc on DHCP networks during DHCP renewals. It provides very little additional security at significant cost to network diagnosis and robustness.

There is currently an option in the 'masq' service which blocks ICMP echo. I don't advise the use of it, and believe it should be removed in the future.