Becoming pingable

Since I would have to make changes to my firewall , I'm hoping this is the proper place for this question .

In my search for a little faster download times , I have been told to become pingable . Can anyone tell me in laymans terms what it means to be pingable and how it applys to my download times.
Also , what security related problems could arise by becoming pingable.
Thanks to anyone who can shed a little light on this subject.
Frank

 

You will probably get varied opinions on allowing ICMP.

I am not certain if being pingable, allowing Inbound ICMP type 8 echo request and Outbound ICMP type 0 echo reply, would help with download speeds. Allowing Inbound ICMP type 3 destination unreachable may help with some connections.

Which firewall are you using? If a rules based firewall, you would have the ability to make permitted ICMP rules for trusted sites while still blocking everythng else.

 

Hello CrazyM ,and thanks for the quick reply.
I'm using Sygate Pro .
Frank

 

I'm using ZA Pro ! "Inbound ICMP (type:9/subtype:3) destination unreachable" are blocked by ZA Pro.

These ICMP packets are from my local ISP.
Everything seems to continue to run fine at this point !!

Here is a quote from ZA Pro "more info" option.......

<<< ZoneAlarm Pro blocked an ICMP Destination Unreachable message

ZoneAlarm Pro has successfully stopped Internet traffic from reaching your computer. No breach in your security has occurred and your computer is safe. Details

ICMP messages are the Internet's control messages. Routers and computers use these messages to determine how to route information from one place to another on the Internet and to keep track of the routing of that traffic. The ICMP Destination Unreachable message tells your computer that something you tried to send could not be delivered to its destination. An additional code within the message indicates the reason. Some examples of reasons why your data might not be deliverable include:

No route currently exists to reach the network you were trying to reach.
No route currently exists to get to the specific computer you were trying to reach.
The packet of data that you were trying to send was too large.
A network administrator has installed a packet filter that refuses to forward the kind of communication you were trying to send.
The reason code in the message that generated this alert was 0. Please see the links below for detailed information about different ICMP Type 3 Destination Unreachable codes and their meanings.

Internet standards dictate that the ICMP Destination Unreachable messages is only sent as a response; however, hackers frequently disregard these standards when trying to attack or break into other people's computers. For this reason, if ZoneAlarm Pro detects one of these messages and cannot determine what it is responding to, ZoneAlarm Pro will block the message -- for example, if the response took too long, or if the packet is not a response at all.

The action of blocking the message normally has no effect on your application if the message was legitimate. It does however protect you against hackers if the message was not legitimate. >>>>

regards,
bill

 

Common types of ICMP safe to allow:

Inbound: type 0 echo reply, type 3 destination unreachable, type 11 time exceeded.

Outbound: type 8 echo request.

Permitting the above will permit you to ping and traceroute others, but you yourself will not be pingable. As mentioned, the inbound type 3 may help with connections.

If you should want to allow specific sites to be able to ping your system you could create a rule to allow Inbound type 8 echo request and Outbound type 0 echo reply and limit it to specified IP addresses.

Another example of how to set up ICMP rules can be found here: https://www.wilderssecurity.com/showthread.php?t=4413

It has been awhile since I looked at Sygate, but you should be able to do this in your advanced rules.

 

I would like for someone to explain to me how becoming pingable would increase the speed of any downloads. I certainly have no intention of giving up my stealth status, and allow others to ping me.
I understand it is necessary for some online gaming and that is the only reason I could ever see for allowing pings.
CrazyMs got the rules right. I would leave it at that if you want some security.

 

Grasshopper,

Being a Sygate Pro user myself, these sites helped me a lot:
http://bellsouthpwp.net/i/k/ikpe/SygateBasics.html and
http://bellsouthpwp.net/i/k/ikpe/SygateAdvancedRules.html

Regards,

Pieter

 

I didn't realize the can of worms I would be opening by asking what I thought was a small and easy question .
By the answers that I received I now realize that I'm in to deep for someone so new to computers. I've got a lot more reading to do .
The amount and depth of knowledge in this forum is amazing , I only hope to be able to contribute in the future.
As I said I believe I have a lot more reading to do.

Thanks Pieter for the site , I know it will be a great help in the future.
Regards,
Frank

 

Your welcome Frank.
Compared to our specialists I know next to nothing about firewalls in general, but those sites helped me feel comfortable in using SPF.

Regards,

Pieter

 

Yep, agreed. There is no good reason for a site to ping you on a download. They already know your machine IP due to the request and it sure would not increase dl speed. The only thing that *might* affect how fast a dl starts would be some sites may want to see you via TCP port 113 for auth. -- but only for *starting* the download. Has nothing to do with the speed once started.

Now, if there are several sites having the same file available for download, you could ping THEM to see which is the fastest for your location. That would have an effect on dl speed if there were substantial differences. There are many factors that effect dl speed, but pinging the client ain't one of them.

Phil

 

Hey Frank, no can of worms here. Looks like everyone pretty much agrees on this one. That's not always the case.
One good way to learn is to ask questions. I still do it myself. And I don't think you're getting in too deep. This is an area that a lot of people don't pay much attention to, and it needs to be discussed from time to time.

 

Something else to add to your list...

http://www.robertgraham.com/pubs/firewall-seen.html

Some good info in general along with an explanation of the more common ICMP types.

 

Oooooh! That was nasty!
He may not be back for weeks now.

 

Hey CrazyM , was that site ment to keep me from bothering you folks for awhile
Regards,
Frank

 

Thanks Paul , I'm not worried , I was only getting in on the fun. Nice to know your looking out for the little guys though.
Regards,

Frank.

 

Yeah. All the little guys are in Ireland and they call them the wee people.
First time I saw that site, I had asked a simple firewall question, and the reply was, you answer is here, with a link to Robert Grahams page.
It does generate a little conversation, but it is most excellent information. It will really help you if you can get thru even part of it.

 

At a quick glance it looks very much like your teaching me how to swim by throwing me into the deep end of the pool
I don't know how long it will take me but I will get through it.
Regards,

Frank