Blocked incoming ICMP, getting outgoing ICMP [3] Destination Unreachable
in [Firewalls]
|
Prev: Dynamic Routing
Next: Daemon Alert - Nokia
From: Ken Sims on 26 Feb 2006 01:36 Hi - On Sat, 25 Feb 2006 19:09:55 -0500, Dubious Dude <Shifty(a)eyes.com> wrote: >It looks like the dialup icon on the >system tray doesn't light up when the delayed response from the DNS >is received. I thought the response was being initiated initiated >from my PC without provocation. You're going to get just one small packet from the DNS server. The program that lights the icon probably doesn't bother for something that small. Personally I have KPF configured to block outbound ICMP [3] without logging. -- Ken http://www.kensims.net/
From: Volker Birk on 26 Feb 2006 02:48 Dom <invalid(a)invalid.invalid> wrote: > How 'bout clearing up this distinction between real and imitation > traceroute. The original is from Van Jacobson, 4.3BSD. It sends UDP packets with a very small TTL and waits until the ICMP TIME_EXCEEDED answer arrives from each gateway along the route to a host. > Microsoft's traceroute. Do they both not accomplish the same thing? I > would argue that ICMP echo is the proper protocol for a traceroute > because a firewalled target host is most likely to reply to an echo > request. I'd like to see that you're right. But ICMP echo filtering is a widespread disease in the days of "Personal Firewalls" and "stealthing". > I would place hping above all other traceroute utilities. Hping > can perform traceroutes with many protocols and ports. With hping, you can do completely other things than a traceroute, too. It's a packet generator, not a traceroute utility. Yours, VB. -- Wenn Du "Ich sehe die Mathematik als einzigen Bereich an, wo es klare Beweise gibt." und "Ich fuehle mich in einem Anzug unwohl." als Aussagen mit aequivalentem Meinungsinhalt betrachtest, hast Du mit Deinem Gleichnis recht. (Michail Bachmann zu Thomas Wallutis in d.a.s.r)
From: Volker Birk on 26 Feb 2006 03:05 Ken Sims <ng3122(a)kensims.#nospam#.net.invalid> wrote: > Personally I have KPF configured to block outbound ICMP [3] without > logging. Why? Yours, VB. -- Wenn Du "Ich sehe die Mathematik als einzigen Bereich an, wo es klare Beweise gibt." und "Ich fuehle mich in einem Anzug unwohl." als Aussagen mit aequivalentem Meinungsinhalt betrachtest, hast Du mit Deinem Gleichnis recht. (Michail Bachmann zu Thomas Wallutis in d.a.s.r)
From: Volker Birk on 26 Feb 2006 04:40 Dom <invalid(a)invalid.invalid> wrote: > Which would you consider more likely: A firewall that blocks echo > requests without stealthing udp 34000-35000 (or whatever the hell ports > it is) or a firewall that stealths udp and allows echo requests. Unclear. Yours, VB. -- Wenn Du "Ich sehe die Mathematik als einzigen Bereich an, wo es klare Beweise gibt." und "Ich fuehle mich in einem Anzug unwohl." als Aussagen mit aequivalentem Meinungsinhalt betrachtest, hast Du mit Deinem Gleichnis recht. (Michail Bachmann zu Thomas Wallutis in d.a.s.r)
From: Volker Birk on 26 Feb 2006 09:16
Dubious Dude <Shifty(a)eyes.com> wrote: [ICMP Type 3 filtering] > http://www.wilderssecurity.com/archive/index.php/t-1124.html > My DNS servers are dynamic. So what? > http://www.dslextreme.com/users/surferslim/tpf.html http://grcsucks.com > Also, I'm an end user. My firewall doesn't shield some kind of > LAN. There is really nothing to see behind the firewall. You're foozling the net by breaking protocols and even don't understand what you're doing here. Yours, VB. -- Wenn Du "Ich sehe die Mathematik als einzigen Bereich an, wo es klare Beweise gibt." und "Ich fuehle mich in einem Anzug unwohl." als Aussagen mit aequivalentem Meinungsinhalt betrachtest, hast Du mit Deinem Gleichnis recht. (Michail Bachmann zu Thomas Wallutis in d.a.s.r) |