Re: Frontiernet insists on being my firewall...
From: Moe Trin (ibuprofin_at_painkiller.example.tld)
Date: 08/29/04
- Next message: \: "Re: A free firewall that supports internet connection sharing?"
- Previous message: Moe Trin: "Re: Frontiernet insists on being my firewall..."
- In reply to: William Wallace: "Re: Frontiernet insists on being my firewall..."
- Next in thread: Anne & Lynn Wheeler: "Re: Frontiernet insists on being my firewall..."
- Reply: Anne & Lynn Wheeler: "Re: Frontiernet insists on being my firewall..."
- Reply: William Wallace: "Re: Frontiernet insists on being my firewall..."
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Sun, 29 Aug 2004 15:31:16 -0500
In article <7e4865b7.0408290018.53bf8d21@posting.google.com>,
William Wallace wrote:
>I don't see a ground swell either. But why block traceroutes and
>pings?
In windoze, both tracert and ping use ICMP echo (Type 8/0). The tracert
does this with incremented TTLs to get ICMP Time Exceeded (Type 11 code
0) errors from intermediate site. The *nix traceroute from Vam Jacobson
was developed before microsoft heard about networking, and uses UDP
packets in place of ICMP echos (although you can use them with the
-i option). So, what are they blocking? ICMP 8/0? UDP? or ICMP 11?
Does your version of ping have a 'Record Route' option (-R in some
versions)? Admittedly, many hosts ignore or discard this option, and
it only has space for nine hops, but it's just one of many other tools
that can be used.
As to "why block pings" - I can think of two reasons. First, it has been
abused and there _used_ to be a simple way to kill a windoze box with
a single ping (I'm relatively sure that few people are still using
versions that were vulnerable). But at least one resent worm/trojan
targeting windoze boxes this Spirng was using a ping as a precursor of
the attack, and hosts that ignored pings were not being attacked by
that _particular_ worm/trojan. Remember, the Internet is not the same
place that it was in the early 1990's. When microsoft invented the
telephone (or whatever) in August 1995, they introduced 87 Bazzillion
people to networking, and 99.999% of those people shouldn't be trying
to use something as complicated as a digital watch, nevermind a VCR
(which is _still_ blinking '12:00') or a computer.
If you think about it, the common recommendation to those configuring
a firewall (whether a toy running on a single dialin, or the bastion
gateway on a "Class A" [sic] net) is to block echo requests inbound.
Even the friendly folk over at NSA (http://www.nsa.gov/snac/index.html)
are recommending that.
>it took me awhile to even find a technical support person who could
>understand how I knew it wasn't my DSL router or even their DSLAM that
>was at fault.
The average "support" person a user gets to talk to is reading from a
script that solves "common" user problems. They are under pressure by
their management to "solve the problem" from that book, and close the
ticket NOW. But then, look at the customer that these support prople are
dealing with. "The Internet is broken." "The Web(tm) is not working."
"I can't surf to $FOO." Wah, Wah, Wah. For those users who _are_
technicaly savy, most ISP Bobs recognize a couple of keywords which are
not commonly known by the unwashed masses, and you can use those in one
or two sentences to impart a message that a specific problem exists
with their crap, and it's probably "here". That message will usually
get passed on relatively quickly. If it doesn't, then it's time to move.
>Now, I am no longer able to troubleshoot their network, and lord knows
>frontiernet is unable to troubleshoot their own network.
Maybe it's time to move.
>Frontiernet installing firewalls to block ports adds latency,
Shouldn't add that much. I _RARELY_ see consistant download speeds
from remote FTP servers, and a quick 'ping -c3 -s1450 some.site.IP'
usually shows WIDE variation in reply delays and those are never
less than four or five times the copper delays plus one or two
milliseconds per hop.
>which is bad for gamers, those who use VoIP or other real time
>communications,
Check the TOS - I don't think that's in there. But by eliminating
"undesired" traffic, they are also _decreasing the load on the wires,
and that decreases latency. Pay your money - take your pick.
>and also big brotherish.
I suppose one could sue over censorship issues - the past business model
has been that they are a "Common Carrier", which is why they don't censor
pr0n or what-ever. Might be good for giggles to see some one try that.
Old guy
- Next message: \: "Re: A free firewall that supports internet connection sharing?"
- Previous message: Moe Trin: "Re: Frontiernet insists on being my firewall..."
- In reply to: William Wallace: "Re: Frontiernet insists on being my firewall..."
- Next in thread: Anne & Lynn Wheeler: "Re: Frontiernet insists on being my firewall..."
- Reply: Anne & Lynn Wheeler: "Re: Frontiernet insists on being my firewall..."
- Reply: William Wallace: "Re: Frontiernet insists on being my firewall..."
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
