Hacker News new | ask | show | jobs
by asmithmd1 4178 days ago
Is it just my network administrator or do others drop outgoing Ping messages at the corporate firewall? This has cost me and others more time than I would like to admit for some vague "security" reason that he won't or can't explain.
1 comments
dsr_ 4178 days ago
Start with a default-deny policy, the only sensible course. (Google "IP over ICMP".) Note that some sysadmins need to verify external connectivity, so allow ICMP echo reply messages to those IPs (or subnets, more likely).

Result: if your machine isn't in one of those blessed ranges, you never get a response to a ping to an outside address. Most users don't complain, because they don't even know what a ping is.

So, it's not just your company, but it's not general practice everywhere.

link
silverwind 4178 days ago
Blocking ICMP is a questionable practice in my opinion. It generally just complicates troubleshooting for a marginable gain in "security" and some applications even require it for PMTU discovery.

If you're really worried about user tunneling out through various tricks, you'd probably have to block the whole internet and apply a whitelist of trusted destination hosts.

As a heavy ping user, this blockage always bothered me, so I started working on a similar tool to get around this:

https://github.com/silverwind/tcpie

link