Becoming pingable

Discussion in 'other firewalls' started by Grasshopper, Nov 18, 2002.

Thread Status:
Not open for further replies.
  1. Grasshopper

    Grasshopper Registered Member

    Joined:
    Sep 30, 2002
    Posts:
    77
    Since I would have to make changes to my firewall , I'm hoping this is the proper place for this question .

    In my search for a little faster download times , I have been told to become pingable . Can anyone tell me in laymans terms what it means to be pingable and how it applys to my download times.
    Also , what security related problems could arise by becoming pingable.
    Thanks to anyone who can shed a little light on this subject.
    Frank
     
  2. CrazyM

    CrazyM Firewall Expert

    Joined:
    Feb 9, 2002
    Posts:
    2,428
    Location:
    BC, Canada
    You will probably get varied opinions on allowing ICMP.

    I am not certain if being pingable, allowing Inbound ICMP type 8 echo request and Outbound ICMP type 0 echo reply, would help with download speeds. Allowing Inbound ICMP type 3 destination unreachable may help with some connections.

    Which firewall are you using? If a rules based firewall, you would have the ability to make permitted ICMP rules for trusted sites while still blocking everythng else.
     
  3. Grasshopper

    Grasshopper Registered Member

    Joined:
    Sep 30, 2002
    Posts:
    77
    Hello CrazyM ,and thanks for the quick reply.
    I'm using Sygate Pro .
    Frank
     
  4. eyespy

    eyespy Registered Member

    Joined:
    Feb 20, 2002
    Posts:
    490
    Location:
    Oh Canada !!
    I'm using ZA Pro ! "Inbound ICMP (type:9/subtype:3) destination unreachable" are blocked by ZA Pro.

    These ICMP packets are from my local ISP.
    Everything seems to continue to run fine at this point !!

    Here is a quote from ZA Pro "more info" option.......

    <<< ZoneAlarm Pro blocked an ICMP Destination Unreachable message

    ZoneAlarm Pro has successfully stopped Internet traffic from reaching your computer. No breach in your security has occurred and your computer is safe. Details

    ICMP messages are the Internet's control messages. Routers and computers use these messages to determine how to route information from one place to another on the Internet and to keep track of the routing of that traffic. The ICMP Destination Unreachable message tells your computer that something you tried to send could not be delivered to its destination. An additional code within the message indicates the reason. Some examples of reasons why your data might not be deliverable include:

    No route currently exists to reach the network you were trying to reach.
    No route currently exists to get to the specific computer you were trying to reach.
    The packet of data that you were trying to send was too large.
    A network administrator has installed a packet filter that refuses to forward the kind of communication you were trying to send.
    The reason code in the message that generated this alert was 0. Please see the links below for detailed information about different ICMP Type 3 Destination Unreachable codes and their meanings.

    Internet standards dictate that the ICMP Destination Unreachable messages is only sent as a response; however, hackers frequently disregard these standards when trying to attack or break into other people's computers. For this reason, if ZoneAlarm Pro detects one of these messages and cannot determine what it is responding to, ZoneAlarm Pro will block the message -- for example, if the response took too long, or if the packet is not a response at all.

    The action of blocking the message normally has no effect on your application if the message was legitimate. It does however protect you against hackers if the message was not legitimate. >>>>

    regards,
    bill :)
     
  5. CrazyM

    CrazyM Firewall Expert

    Joined:
    Feb 9, 2002
    Posts:
    2,428
    Location:
    BC, Canada
    Common types of ICMP safe to allow:

    Inbound: type 0 echo reply, type 3 destination unreachable, type 11 time exceeded.

    Outbound: type 8 echo request.

    Permitting the above will permit you to ping and traceroute others, but you yourself will not be pingable. As mentioned, the inbound type 3 may help with connections.

    If you should want to allow specific sites to be able to ping your system you could create a rule to allow Inbound type 8 echo request and Outbound type 0 echo reply and limit it to specified IP addresses.

    Another example of how to set up ICMP rules can be found here: http://www.wilderssecurity.com/showthread.php?t=4413

    It has been awhile since I looked at Sygate, but you should be able to do this in your advanced rules.
     
  6. root

    root Registered Member

    Joined:
    Feb 19, 2002
    Posts:
    1,723
    Location:
    Missouri, USA
    I would like for someone to explain to me how becoming pingable would increase the speed of any downloads. I certainly have no intention of giving up my stealth status, and allow others to ping me.
    I understand it is necessary for some online gaming and that is the only reason I could ever see for allowing pings.
    CrazyMs got the rules right. I would leave it at that if you want some security. :D
     
  7. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,312
    Location:
    Netherlands
    Grasshopper,

    Being a Sygate Pro user myself, these sites helped me a lot:
    http://bellsouthpwp.net/i/k/ikpe/SygateBasics.html and
    http://bellsouthpwp.net/i/k/ikpe/SygateAdvancedRules.html

    Regards,

    Pieter
     
  8. Grasshopper

    Grasshopper Registered Member

    Joined:
    Sep 30, 2002
    Posts:
    77
    I didn't realize the can of worms I would be opening by asking what I thought was a small and easy question .
    By the answers that I received I now realize that I'm in to deep for someone so new to computers. I've got a lot more reading to do .
    The amount and depth of knowledge in this forum is amazing , I only hope to be able to contribute in the future.
    As I said I believe I have a lot more reading to do.

    Thanks Pieter for the site , I know it will be a great help in the future.
    Regards,
    Frank
     
  9. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,312
    Location:
    Netherlands
    Your welcome Frank.
    Compared to our specialists I know next to nothing about firewalls in general, but those sites helped me feel comfortable in using SPF.

    Regards,

    Pieter
     
  10. Phil

    Phil Registered Member

    Joined:
    Oct 24, 2002
    Posts:
    248
    Yep, agreed. There is no good reason for a site to ping you on a download. They already know your machine IP due to the request and it sure would not increase dl speed. The only thing that *might* affect how fast a dl starts would be some sites may want to see you via TCP port 113 for auth. -- but only for *starting* the download. Has nothing to do with the speed once started.

    Now, if there are several sites having the same file available for download, you could ping THEM to see which is the fastest for your location. That would have an effect on dl speed if there were substantial differences. There are many factors that effect dl speed, but pinging the client ain't one of them. :D

    Phil
     
  11. root

    root Registered Member

    Joined:
    Feb 19, 2002
    Posts:
    1,723
    Location:
    Missouri, USA
    Hey Frank, no can of worms here. Looks like everyone pretty much agrees on this one. That's not always the case. :D
    One good way to learn is to ask questions. I still do it myself. And I don't think you're getting in too deep. This is an area that a lot of people don't pay much attention to, and it needs to be discussed from time to time. ;)
     
  12. CrazyM

    CrazyM Firewall Expert

    Joined:
    Feb 9, 2002
    Posts:
    2,428
    Location:
    BC, Canada
    Something else to add to your list...

    http://www.robertgraham.com/pubs/firewall-seen.html

    Some good info in general along with an explanation of the more common ICMP types.
     
  13. root

    root Registered Member

    Joined:
    Feb 19, 2002
    Posts:
    1,723
    Location:
    Missouri, USA
    Oooooh! That was nasty!
    He may not be back for weeks now. :D :D
     
  14. Grasshopper

    Grasshopper Registered Member

    Joined:
    Sep 30, 2002
    Posts:
    77
    Hey CrazyM , was that site ment to keep me from bothering you folks for awhile o_O
    Regards,
    Frank
     
  15. Paul Wilders

    Paul Wilders Administrator

    Joined:
    Jul 1, 2001
    Posts:
    12,472
    Location:
    The Netherlands
    Don't you worry, Frank; it's merely kidding. You are welcome as ever to ask questions! ;).

    regards.

    paul
     
  16. Grasshopper

    Grasshopper Registered Member

    Joined:
    Sep 30, 2002
    Posts:
    77
    Thanks Paul , I'm not worried , I was only getting in on the fun. Nice to know your looking out for the little guys though.
    Regards,

    Frank.
     
  17. Paul Wilders

    Paul Wilders Administrator

    Joined:
    Jul 1, 2001
    Posts:
    12,472
    Location:
    The Netherlands
    Frank,

    Good ;).

    btw: there are no "little guys" in our book ;).

    regards,

    paul
     
  18. root

    root Registered Member

    Joined:
    Feb 19, 2002
    Posts:
    1,723
    Location:
    Missouri, USA
    Yeah. All the little guys are in Ireland and they call them the wee people.
    First time I saw that site, I had asked a simple firewall question, and the reply was, you answer is here, with a link to Robert Grahams page.
    It does generate a little conversation, but it is most excellent information. It will really help you if you can get thru even part of it.
     
  19. Grasshopper

    Grasshopper Registered Member

    Joined:
    Sep 30, 2002
    Posts:
    77
    At a quick glance it looks very much like your teaching me how to swim by throwing me into the deep end of the pool
    I don't know how long it will take me but I will get through it.
    Regards,

    Frank
     
Thread Status:
Not open for further replies.