On Mon, 5 Jan 2004, Jason A. Smith wrote:
> On Mon, 2004-01-05 at 14:29, Maarten LITMAATH wrote:
> > Yes, technically it is not needed, but it sure would help in trying to
> > understand any problems with service nodes! Why is it such a big deal
> > to allow ICMP?
>
> Our cyber-security team says it is an unnecessary security risk to allow
> the outside world to map the internal network with icmp, therefore all
> icmp traffic is blocked at the perimeter firewall unless a conduit has
> been specifically requested for a certain host with a good reason. I
> never requested such a conduit for our CE. If it is necessary then I
> can make that request. Is ping used for any of the testing scripts,
> does it need to be allowed? If it is required then it should be added
> to the firewall/ports document.
Many moons ago the RB did use to check a host was alive before fireing
a job at it. I do not belive this is any longer the case though. I think
ping is only required for the tests.
Of course there is a good argument that all hosts should accept ICMP which
may be the reason it was never included in the rule set.
rfc1122 (Requirements for Internet Hosts -- Communication Layers) states
that it should not be blocked.
Steve
>
> ~Jason
>
>
> --
> /------------------------------------------------------------------\
> | Jason A. Smith Email: [log in to unmask] |
> | Atlas Computing Facility, Bldg. 510M Phone: (631)344-4226 |
> | Brookhaven National Lab, P.O. Box 5000 Fax: (631)344-7616 |
> | Upton, NY 11973-5000 |
> \------------------------------------------------------------------/
>
--
Steve Traylen
[log in to unmask]
http://www.gridpp.ac.uk/
|