Security options?

[mrmojo]

Please don't disable ping! Without this, MTU autodiscovery can't work and you're going to suffer from bad speeds on many routes. It's enabled for a reason -- there is utterly no reason to shut it off.

[Ratti3]

Do you have any links to back up this claim?

Thanks

Taken from the Netgear router page itself:
Respond To Ping On Internet Port

If you want the DG834GT to respond to a 'Ping' from the Internet, click this check box. This can be used as a diagnostic tool. This can be a security problem. You shouldn't check this box unless you have a specific reason to do so.

[mrmojo]

Well, netgears wrong in so much its a security problem, because it isn't. http://en.wikipedia.org/wiki/Maximum_transmission_unit says "RFC 1191 describes "Path MTU discovery", a technique for determining the path MTU between two IP hosts with a view to avoiding IP fragmentation. Path MTU discovery works by setting the DF (Don't Fragment) option in the IP headers of outgoing packets—any device along the path whose MTU is smaller than the packet will drop it, and send back an ICMP "Destination Unreachable (Datagram Too Big)" message containing its MTU, allowing the source host to reduce its assumed path MTU appropriately. The process repeats until the MTU is small enough to traverse the entire path without fragmentation."

If you are blocking ICMP (which will be what it's doing when you block pings) then you've got no chance of getting the message to turn your MTU size down.

[Ratti3]

Ok thanks I'll investigate, the default MTU sent by this router is 1500 and can br easily changed, I suggest a value of 1458. There are plenty of routers out there with the ping option deselected by default.

Also if you read a bit further down the wikipedia page you'll see why its a security issue.

[NewsreadeR]

moved till we can find out for definite

[mrmojo]

Ok thanks I'll investigate, the default MTU sent by this router is 1500 and can br easily changed, I suggest a value of 1458. There are plenty of routers out there with the ping option deselected by default.

Also if you read a bit further down the wikipedia page you'll see why its a security issue.

Are you refering to the DoS thing? If so, that's not a security issue that can be solved - it would only provide protection at the ISP level, not at your level, since these ping packets are still being pushed down your line clogging it up.

[Ratti3]

It will be quite rare/infrequent when you have serious MTU related problems when routers on the internet will not accept the default 1500 size MTU. When this happens you will know that there is a problem as you will have problems accessing the site/service.

At that point you can try and enable the ping option and see if that fixes your problem or set a lower default MTU, 1410 maybe?


There is some info on MTU problems with the BT network back in 2003 which I believe has been sorted now:
http://bbs.adslguide.org.uk/showthre...s&Main=2254961
http://bbs.adslguide.org.uk/showthre...hs&Main=186041

PS In case your wondering how I came to the conclusion in the first paragraph, I asked a CCNA/MCSE expert at my workplace. Whether he is right or wrong I'll let you decide.

Also when a PC is pinged by a hacker to see if it responds chances are he'll think there may be more weakspots and scan further. However the chance of finding you in the first place is like looking for a needle in a haystack, however its still a risk.

[mrmojo]

Oh well, I give up. ICMP is there for a reason and blocking it is stupid. Even if you disable ping the chances are that anyone with nmap will still be able to find even more important services on you. I have never heard of a hacker using ping when they can issue a proper nmap tcp scan and sort it out.

So what you're basically saying is that to save yourself an absolutely inconsequantal security risk you should get rid of a good feature which will avoid headaches in the future. .

[Ratti3]

It would be good if other people put their input on this.

I have had this option disabled on my previous router for 3 years and never noticed any problems.

But people can read what you have said and can decide if they want to turn that option off or not.

[SatDish]

i cant even find it on my router