acl: denying pings

From: Daniel C. Young (danyoung99@xxxxxxxxxxxx)
Date: Fri Aug 10 2001 - 19:20:36 GMT-3

• Next message: Xu, James: "RE: OSPF to RIP redistribution"
• Previous message: Christopher M. Heffner: "RE: Missed Lab Appointment"
• Next in thread: Jason Gardiner: "Re: acl: denying pings"
• Maybe reply: Jason Gardiner: "Re: acl: denying pings"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

   
Folks,

Pings require both icmp type echo and echo-reply. If you want to deny pings,
would it make sense simple to deny echos only? The reason being is that if
echos (requests) are never allowed, you will not even have any echo replies.
I know that lab proctors are in search of the shorts acl possible. They will
burn you at the stake if you don't come up with it.

Consider:
acc 100 deny icmp any any eq echo
acc 100 deny icmp any any eq echo-reply <-- Is this even necessary?
acc 100 perm ip any

What do you guys think?

Daniel C. Young
Sr. Network Engineer
(909) 221-1928 Direct
dan.young@sbc.com

SBC Internet Data Center
2681 Kelvin Ave.
Irvine, CA 92614
(949) 221-1900 Main
(949) 221-1978 Fax
**Please read:http://www.groupstudy.com/list/posting.html

• Next message: Xu, James: "RE: OSPF to RIP redistribution"
• Previous message: Christopher M. Heffner: "RE: Missed Lab Appointment"
• Next in thread: Jason Gardiner: "Re: acl: denying pings"
• Maybe reply: Jason Gardiner: "Re: acl: denying pings"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Thu Jun 13 2002 - 10:31:48 GMT-3