RE: Scan of TCP 552-554
From: Frank Knobbe (fknobbe_at_knobbeits.com)
Date: 07/30/03
- Previous message: Jon Zobrist: "floods through our proxy"
- In reply to: Nick Nauwelaerts: "RE: Scan of TCP 552-554"
- Next in thread: Justin Pryzby: "Re: Scan of TCP 552-554"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
To: Nick Nauwelaerts <nick.nauwelaerts@compu-mark.com> Date: 29 Jul 2003 18:15:52 -0500
On Tue, 2003-07-29 at 02:31, Nick Nauwelaerts wrote:
> [...] Discarding, not blocking, incoming traffic
> has as added feature that it breaks MTU path discovery. If your firewall is
> part of an upstream route you break other people's troubleshooting. If this
> was done by everyone you can forget about basic troubleshooting tools such
> as traceroute of ping.
Path MTU discovery only gets broken if you block (or not respond) to
certain ICMP packets. You should be able to silently drop TCP, UDP, and
most of ICMP (except for type 3 and 11 I believe).
Doing traceroutes has already become a PITA with certain providers.
Luckily those that block ICMP traceroutes still permit TCP traceroutes.
Besides, most admins probably don't want you to be able to traceroute
through their firewall :)
I agree on the hiding part. Also, TCP Resets are especially useful for
anything that throws idents your way (i.e. mail servers, secondary name
servers).
Cheers,
Frank
- application/pgp-signature attachment: This is a digitally signed message part
- Previous message: Jon Zobrist: "floods through our proxy"
- In reply to: Nick Nauwelaerts: "RE: Scan of TCP 552-554"
- Next in thread: Justin Pryzby: "Re: Scan of TCP 552-554"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
