Re: highly secure live CD distro

From: Moe Trin (ibuprofin_at_painkiller.example.tld)
Date: 02/23/05


Date: Wed, 23 Feb 2005 14:37:27 -0600

In article <slrnd1mfpv.b5d.zawrotny@localhost.localdomain>,
Michael Zawrotny wrote:

>If you REJECT, that requires sending an ICMP destination unreachable
>packet (see http://www.iana.org/assignments/icmp-parameters for
>type and sub-type numbers). This can eat up your bandwidth on a slow
>connection. DROPing saves the outgoing packets, but is not compliant
>with the various RFCs, and therefore technically results in a host
>with "broken" networking.

It also triples the amount of wasted inbound packets. TCP/IP works on
making an unreliable connection reliable. It does this by retrying to send
packets that appear to have fallen through the cracks in the cloud.

>If you have control of the upstream firewall (which I assume
>the OP did not), I would recommend blocking at the firewall with
>an ICMP host-unreachable (type 3/1), which makes it look like the
>host is turned off.

Agreed.

>That's not as practical for a single host, since the ICMP return packet
>will have the allegedly unreachable host as the source address.

I've heard that some consumer grade firewalls (read windoze personal garbage)
have suggested sending a 3/1 back as a smoke screen. This neglects the rather
obvious fact that the source address in the ICMP packet is the original
destination... but no one would notice that, right? ;-)

>That is why I suggested DROP for the OP. For a different situation, I
>would have said REJECT.

Some windoze worms try a ping (ICMP 8) first, to see if the host is up
before they try to connect via TCP. However, this may just be one of the
thousands of different windoze worm kits.

        Old guy