Ping
Ping is used to examine whether a computer works and is accessible over a network. Ping sends ICMP traffic to the computer in question, and the target computer replies with a reply ICMP packet if it is running and reachable from the network.
You can also ping a whole network, and thereby use ping to examine which computers exist on a certain network. Therefore it is not advisable to allow ping into an internal network.
The client computer sends a type 8 ICMP packet, echo-request, to find out whether the target computer is working and accessible. The target computer ("server" in the picture below) replies with a type 0 ICMP packet, echo-reply, to tell it is working and accessible over the network.
This corresponds to the following service definitions:
| Services | |||
|---|---|---|---|
| Name | Protocol | Firewall type | ICMP type |
| echo-request | ICMP | Packet filter | 8 |
| echo-reply | ICMP | Packet filter | 0 |
Outgoing ping configuration
No NAT
Allow the echo-request service from the computers which should be able to run ping (e. g., the Inside) to the computers you want to ping (e. g., Internet). A firewall rule allowing echo-reply in the opposite direction is needed for the replies to reach the client computers. Example:
NAT
Allow the echo-request service from the computers which should be able to run ping (e. g., the Inside) to the computers you want to ping (e. g., Internet). The replies need no rules as the NAT system handles this automatically. Example:
Incoming ping configuration
No NAT
Ping from the Internet to an internal network is not advisable (see above), but this is how to do it. Allow the echo-request service from the computers which should be able to run ping (e. g., Internet) to the computers you want to ping (e. g., the Inside). A firewall rule allowing echo-reply in the opposite direction is needed for the replies to reach the client computers. Example:
NAT
Incoming ping through an Ingate Firewall using NAT for the outgoing traffic is not possible as there is no way to let the traffic into a NAT:ed network.