Problem

TechRepublic member computer_blues
recently made a startling discovery on his network and used the Technical Q&A to ask
other IT pros about it. He posted: “I noticed that my internal workstations
can ping locations outside of the firewall, like www.yahoo.com, even though
these workstations are not set up with Internet (http) access on the firewall.
Am I exposing my internal network to possible attacks, or what risk is involved
in allowing internal workstations to ping outside the network? I thought my
firewall rules prohibited this, until now.”

Solution

This question received a trio of helpful answers.

BFilmFan
responded, “If you are running IP and didn’t set a specific DENY on the
subnet, they can indeed ping out of the network. Did you check to make sure
that telnet was removed from the workstations also? The real question is can
someone ping into your network from outside?”

Member markusfrei@gmx.net
provided a useful suggestion for disabling the ability to ping outside of the
network. He wrote, “Remove the firewall’s IP address from the ‘gateway’
section in the NIC setup of the PCs, then they should no longer be able to get
out to the Internet.”

To further enhance security, member gavin@afiintra.com suggested, “The main reason for not
allowing ping is to avoid virus attacks to the router. You should configure
your firewall to deny all the ICMP traffic or deny port 7 UPD to block all the
echo traffic.”


Note

The text of discussion posts from TechRepublic members has
been slightly edited for spelling, punctuation, and clarity.