Re: Frontiernet insists on being my firewall...

From: Moe Trin (ibuprofin_at_painkiller.example.tld)
Date: 08/31/04 

Date: Mon, 30 Aug 2004 21:55:09 -0500

In article <7e4865b7.0408292217.745b45f6@posting.google.com>,
William Wallace wrote:
>> Even the friendly folk over at NSA (http://www.nsa.gov/snac/index.html)
>> are recommending that.

That page 404's now. Sorry

>They are probably recommending that ISPs block their customer's outbound
>pings, too

Actually the page was more generic than that, and was suggesting how
to set up _any_ perimeter security. I suspect it's based on work by
Cisco, but I also see references to what might be called "classic"
firewall books, such as D. Chapman and E. Zwicky. Building Internet
Firewalls (O'Reilly) and S. Bellovin and W. Cheswick. Network Firewalls.
Looking at the first book, their recommendations (Chapter 22) are even
tighter than the NSA recommendations.

_MOST_ firewall recommendations are such that you can do things to
outsiders (such as ping), but they can't do those things to you.
Where this breaks down is that your outbound (exanoke) ping is blocked
by the next hop's inbound filter rules. As mentioned, the internet is
not the wide open friendly place it once was.

>> >Frontiernet installing firewalls to block ports adds latency,
>>
>> Shouldn't add that much.
>
>It depends on what type of firewall they are using. 5mS here, 10mS
>there, and pretty sure you cannot game or hold a reasonable conversation.

Yeah, but if the link uses geostationary satellites you're looking at
a quarter second in propagation delay right there. Still, that delay
hasn't killed "overseas" telephone service. I've even used links with
round trip times over two-thirds of a second for both audio AND video.
That's getting pretty ropey, but it served the function needed.

        Old guy

Relevant Pages

  • Re: Stand bag recommendation
    ... I've got both the Titleist and a Ping Hoofer. ... the ping started to develop some wear issues (after about 3 good seasons of ... Some one on the group suggested I send the Ping bag into Ping so I ... > that and any other recommendations? ...
    (rec.sport.golf)
  • Re: AD, DHCP or maybe DNS problem?
    ... if I use the firewall it doens't work. ... I already setup several RRAS servers and they work fine, ... but can't use the internet on) below are my pings ... Ping statistics for 127.0.0.1: ...
    (microsoft.public.windows.server.active_directory)
  • Re: PRB:socket api "listen" always fails returning WSAEINVAL and p
    ... WinXP pc is not running any firewall as i have switched off firewall and ... to do with the ping situation, but what you're doing there is wrong. ... No subnet mask and MAC address of the ethernet card both are fine as i am ... ip addrees of the WinXP pc:10.123.4.101 ...
    (microsoft.public.windowsce.app.development)
  • Re: XP Network doesnt allow new computer to access
    ... This machine can ping other one. ... no other machines are visible in My Network Places. ... >> The list of servers for this workgroup is not currently available." ... I've mucked around with the firewall - ...
    (microsoft.public.windowsxp.network_web)
  • Re: [opensuse] Two NICs, one connected, Ping Both...?
    ... Server is behind a Router, and the Router is doing Port Forwarding. ... Only one of these RJ45 Ports is connected, but I can Ping them both. ... Not counting completely broken firewall rules. ... Start by turning off the firewall, double-checking that you are running ssh, and connecting from a localhost. ...
    (SuSE)
Quantcast