|
|
|
|
|
|
by dsr_
4177 days ago
|
|
|
Start with a default-deny policy, the only sensible course. (Google "IP over ICMP".) Note that some sysadmins need to verify external connectivity, so allow ICMP echo reply messages to those IPs (or subnets, more likely). Result: if your machine isn't in one of those blessed ranges, you never get a response to a ping to an outside address. Most users don't complain, because they don't even know what a ping is. So, it's not just your company, but it's not general practice everywhere. |
|
|
If you're really worried about user tunneling out through various tricks, you'd probably have to block the whole internet and apply a whitelist of trusted destination hosts.
As a heavy ping user, this blockage always bothered me, so I started working on a similar tool to get around this:
https://github.com/silverwind/tcpie