(ramsayleung.github.io)

134 points samray | 3 comments | 10 Oct 25 07:50 UTC | HN request time: 0.807s | source

Show context

ajd555 ◴[10 Oct 25 11:52 UTC] No.45537856[source]▶

If a ping to a specific IP times out, I wouldn't say the IP is blocked. It could be that ICMP specifically is blocked, following some network rules on the firewall. This is pretty common in entreprise networks to not allow endpoint discovery. I could be missing something and happy to be corrected here, but I was surprised to read that.

replies(5): >>45537931 #>>45538067 #>>45538538 #>>45538647 #>>45540200 #

1. VladVladikoff ◴[10 Oct 25 12:00 UTC] No.45537931[source]▶

>>45537856 #

Yeah, ICMP tunnelling is also a common bypass method for captive networks, so simply blocking all ICMP seems logical.

replies(1): >>45540847 #

2. EvanAnderson ◴[10 Oct 25 16:37 UTC] No.45540847[source]▶

>>45537931 (TP) #

Every time I've had to fight with path MTU discovery not working I've cursed the people who block all ICMP, though. If ICMP echo / echo-reply is the problem just block that. At the very least, allow destination unreachable / fragmentation needed thru (type 3, code 4).

replies(1): >>45542128 #

3. pixl97 ◴[10 Oct 25 18:23 UTC] No.45542128[source]▶

>>45540847 #

Most of the people blocking ICMP have no clue that ICMP codes/types even exist.

↑

A story about bypassing air Canada's in-flight network restrictions