[GTALUG] Ubuntu -- Disabling Ping
James Knott
james.knott at jknott.net
Thu Aug 30 11:46:42 EDT 2018
On 08/30/2018 11:31 AM, D. Hugh Redelmeier via talk wrote:
> | From: James Knott via talk <talk at gtalug.org>
>
> | On 08/30/2018 06:11 AM, o1bigtenor via talk wrote:
> | > I have ping disabled directly on my router so none of the machines
> | > behind it can be accessed from outside.
> |
> | How does disabling ping on a router prevent access to what's behind it?
> | Ping has nothing to do with routing.
>
> 1) OP's question was asking about a solution without stating a real
> problem that needed solving. (See 2).
People often do that and wind up creating problems trying to fix the one
that doesn't exist.
> 2) almost everyone's LAN is behind NAT so pings from the outside world
> cannot even address LAN nodes. In other words, no problem exists.
Not anymore. In fact there have long been LANs that aren't behind NAT.
Any network that has a lot of public servers would be one example.
Also, back in the late 90s, when I was at IBM, on Steeles, the entire
LAN had public addresses (mine was 9.29.146.147), as those networks were
set up before NAT became necessary to get around the IPv4 address shortage.
Also, IPv6 is now being used by many and NAT is discouraged on it. This
means that, for example, Rogers customers will have public IPv6
addresses. However, given that they have a minimum of 18.4 billion,
billion addresses to choose from, they're a bit harder to find.
> Many people do think that depending solely on a firewall for network
> security is a bad model. "Crunchy on the outside, soft on the
> inside." Every node should be hardened. But what are you going to do
> to harden you IoT devices (light bulbs, fridges, settop boxes,
> thermostats, watches, ....)?
>
Also, relying on NAT for security is a bad idea. It does nothing that a
properly configured firewall can't do.
More information about the talk
mailing list