Koozali.org: home of the SME Server

Obsolete Releases => SME Server 6.x => Topic started by: netdesignns on June 30, 2006, 12:08:25 PM

Title: How to block ping response on SME6?
Post by: netdesignns on June 30, 2006, 12:08:25 PM

How does one block or disable the ping response on SME6.
Have searched the site but it does not appear to feature?

Title: Re: How to block ping response on SME6?
Post by: CharlieBrady on June 30, 2006, 08:02:50 PM

Quote from: "netdesignns"

How does one block or disable the ping response on SME6.

Why do you want to block ping response?

Quote

Have searched the site but it does not appear to feature?

Are you telling me that or asking a question?

"server-gateway private" mode blocks ping response from the Internet but allows it from the LAN.

Title: How to block ping response on SME6?
Post by: netdesignns on July 01, 2006, 02:14:13 AM

The server operates as a public gateway with a number of virtual domains. We are continually flooded with unwanted traffic much is email which is handled but the logs indicate that there are many other attempted connections that are denied. To block public ping response takes away one way of advertising the IP from the nuisance traffic. We had to do this with an SME 5.6 a couple of years ago with a succesful outcome with traffic falling off. We want to do this with this server as well.

Title: How to block ping response on SME6?
Post by: CharlieBrady on July 01, 2006, 02:26:19 AM

Quote from: "netdesignns"

The server operates as a public gateway with a number of virtual domains. We are continually flooded with unwanted traffic much is email which is handled but the logs indicate that there are many other attempted connections that are denied.

They will continue whether you block ping response or not.

Title: How to block ping response on SME6?
Post by: netdesignns on July 01, 2006, 04:36:24 AM

The inward pings might continue but at least the server won't advertise its presence so readily.

Title: How to block ping response on SME6?
Post by: CharlieBrady on July 01, 2006, 04:52:40 AM

Quote from: "netdesignns"

The inward pings might continue but at least the server won't advertise its presence so readily.

It's a web server. It can't hide its presence.

Title: How to block ping response on SME6?
Post by: Ness on July 04, 2006, 11:39:28 PM

But surely, if a server, web or otherwise, doesn't respond to pings on its WAN, over time, those who ping it will go elsewhere for this, improving response times over time? Optimistic maybe, but I think its a reasonable request.

Ok, there are engines out there that just ping for the nuisance factor and blocking wont stop them doiong it, but isnt stopping any at all better than stopping none?

Would the answer be to filter these out at the router level?

In the UK, BT and many others reject pings - why shouldn't a SME Server be set to do the same?

Chris

Title: How to block ping response on SME6?
Post by: gordonr on July 05, 2006, 02:17:26 PM

Quote from: "Ness"

In the UK, BT and many others reject pings - why shouldn't a SME Server be set to do the same?

Blocking ICMP ECHO disables the first "Is the server working?" test network admins use. It can also wreak havoc on DHCP networks during DHCP renewals. It provides very little additional security at significant cost to network diagnosis and robustness.

There is currently an option in the 'masq' service which blocks ICMP echo. I don't advise the use of it, and believe it should be removed in the future.