Thread: Netgear Router Problem?
View Single Post
Old 25-11-2009, 15:20   #13
mrmistoffelees
067
 
mrmistoffelees's Avatar
 
Join Date: Jul 2007
Location: Middlesbrough
Age: 49
Services: Many
Posts: 5,066
mrmistoffelees has a nice shiny star
mrmistoffelees has a nice shiny starmrmistoffelees has a nice shiny starmrmistoffelees has a nice shiny starmrmistoffelees has a nice shiny starmrmistoffelees has a nice shiny starmrmistoffelees has a nice shiny starmrmistoffelees has a nice shiny starmrmistoffelees has a nice shiny starmrmistoffelees has a nice shiny star
Re: Netgear Router Problem?
I've said this before and i'll say it again, Blocking ICMP on the WAN port is a bad move.
All this is doing is showing that there is a device connected on that IP address. nothing more nothing less. Blocking ICMP causes more issues than it solves

Quote:
Originally Posted by Robin Walkers cable modem pages
Stealth-mode firewalls considered harmful
Some firewalls have a hiding mechanism they call stealth. For instance, the High Security setting in ZoneAlarm is an example of stealth mode. In stealth mode, the firewall causes the PC just to ignore incoming connection attempts, rather than rejecting them, as would be normal for incoming connection attempts to closed ports. The result is that the PC appears to be switched off and absent from the network.

This hyper-paranoid approach to security causes some difficulties. For a start, Internet standard RFC 1122 states categorically about ICMP Echoes (ping):

3.2.2.6 Echo Request/Reply: RFC-792

Every host MUST implement an ICMP Echo server function that receives Echo Requests and sends corresponding Echo Replies.

Note the MUST rather than SHOULD. This means that any internet user, or ISP server, has a right to expect that all live PCs connected to the internet will respond to ICMP ping requests with an ICMP reply. If a firewall user chooses to stealth ICMP requests so that no response is sent, they have only themselves to blame if they start experiencing problems, because they are in breach of RFC 1122.

The problems that might arise if you kill ICMP responses with stealth are:

Difficulties with DHCP lease acquisition or renewal in cases where the DHCP server checks on the availability of IP addresses, or your presence on the network, with ICMP ping requests [this doesn't actually happen on the original NTL network, but ICMP requests have been seen coming from the DHCP servers of digital TV set-top boxes. No problems seen with blueyonder];

Slowness of web connection setup in cases where the remote web server uses ICMP to determine the MTU of the response path;
Frustration at ISP help-desks (and with informal helpers) if your PC does not respond to pings and traceroutes, as it is difficult to distinguish this situation from a broken connection.

So you are strongly advised not to apply stealth techniques to the ICMP protocol. In the freeware version of ZoneAlarm, this means you should run it in Medium Security, not High Security, for the Internet Zone. In ZoneAlarm Pro, you can configure ICMP behaviour to permit ICMP Echo packets in and out even in High Security, using the Customize button of the Security Settings panel.
__________________
Nerves of steel, heart of gold, knob of butter......
mrmistoffelees is offline   Reply With Quote