1

I was recently looking at a network in which the client-machines could access a webservice endpoint but could not ping it.

And there are other machines that can ping the webservice endpoint, but which do not utilize it. However, these other machines do connect to service the client-machines, and of course, can ping both.

All machines in question are on a private network that extends to private and public physical locations.

So, why would some of these machines DROP packets and others ACCEPT them?

schroeder
  • 123,438
  • 55
  • 284
  • 319
leeand00
  • 1,297
  • 1
  • 13
  • 21
  • There's also a third option in a firewall which is to `REJECT` the packets, meaning, I'm here but I'm not conversing with your node. – leeand00 Jan 30 '19 at 18:13
  • Likely relevant as well: https://security.stackexchange.com/questions/103960/how-to-protect-webservice-on-private-network – leeand00 Jan 30 '19 at 18:14

2 Answers2

0

ICMP can be dropped for a variety of reasons to protect the service. And there are obviously clear reasons why ICMP is useful.

If you take the stance that you only allow services that you have a stated reason to enable, then the default would be to drop ICMP, and only allow it for specific reasons. Firewalls always start with a default DENY, and then you build ALLOW rules on top of that.

In your example, it appears that there are admin-type machines that need to ping everything. This is not unusual for admin machines.

Client-type machines likely have no reason to ping the service, so that would fall under the default DENY because you would not craft an ALLOW rule for the clients without a reason.

schroeder
  • 123,438
  • 55
  • 284
  • 319
-1

If the client machine has its personal firewall set to drop ICMP then it will not respond.

If the client machine is accessing the webservice endpoint through a router, the router could be set to ignore/drop ICMP and local LAN machines could get a response.

If all the client machines are on the same LAN then a rule could be set by ip range to block traffic in the router.

If the network has two or more local LAN subnets and a route is not set in the router then those clients could get internet access, but not access to another range on the local LAN.

Casper
  • 1
  • 1
  • This doesn't answer the question about the decisions about why you would want to allow ping or not. You've only addressed the technical reasons *how* ICMP could be dropped. – schroeder Oct 22 '20 at 09:42